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Preface 



The Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by 
the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General 
Act of 1978. This is one of a series of audit, inspection, and special reports prepared as part of our 
oversight responsibilities to promote economy, efficiency, and effectiveness within the department. 

The attached report presents financial information excerpted from DHS' Annual Financial Report 
(AFR) and the results of the DHS financial statement audits for fiscal year (FY) 2007 and FY 2006. 
We contracted with the independent public accounting firm KPMG LLP (KPMG) to perform the 
audits. The contract required that KPMG perform its audits according to generally accepted 
government auditing standards and guidance from the Office of Management and Budget and the 
Government Accountability Office. KPMG was unable to provide an opinion on DHS' balance 
sheet as of September 30, 2007 and 2006. The FY 2007 auditor's report discusses eight significant 
deficiencies, seven of which are considered material weaknesses in internal control, and eight 
instances of noncompliance with laws and regulations. KPMG is responsible for the attached 
auditor's report dated November 15, 2007, and the conclusions expressed in the report. We do not 
express opinions on DHS' financial statements or internal control or conclusions on compliance with 
laws and regulations. 

The recommendations herein have been discussed in draft with those responsible for 
implementation. It is our hope that this report will result in more effective, efficient, and economical 
operations. We express our appreciation to all of those who contributed to the preparation of this 
report. 




Richard L. Skinner 
Inspector General 
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Washington, DC 20528 




NOV 1 5 2007 



MEMORANDUM FOR: 



The Honorable Michael Chertoff 



Secretary 




FROM: 



Richard L. Skinner 
Inspector General 



SUBJECT: 



Independent Auditors ' Report on DHS ' FY 2007 Balance Sheet and 
Statement of Custodial Activity 



The attached report presents the results of the Department of Homeland Security's (DHS or 
Department) financial statement audits for fiscal year (FY) 2007 and FY 2006. These audits were 
required by the Chief Financial Officers Act of 1990. This report is incorporated into the 
Department's FY 2007 Annual Financial Report. We contracted with the independent public 
accounting firm KPMG LLP (KPMG) to perform the audits. 

Generally the corrective action plans for DHS's non-military components, except for FEMA, have 
started to show results of improving financial reporting during FY 2007, although overall the 
department still has much work remaining. For the fourth year, KPMG was unable to provide an 
opinion on the department's balance sheet; although elements and conditions of prior year 
weaknesses have been corrected, material weaknesses exist in the same processes as in prior years. 



KPMG was unable to express an opinion on the Department's balance sheets as of September 30, 
2007 and 2006 and on the related statements of custodial activity for the years then ended, because 
DHS was unable to represent that certain financial statement balances were correct, and unable to 
provide sufficient evidence to support its financial statements. In connection with the audits, DHS' 
internal controls over financial reporting and compliance with certain provisions of laws and 
regulations were considered. As a result, the FY 2007 Independent Auditors' Report discusses seven 
material weaknesses, one other significant deficiency in internal control, and eight instances of non- 
compliance with laws and regulations, as follows: 

Significant Deficiencies That Are Considered To Be Material Weaknesses 

A. Financial Management and Entity-level Controls 

B. Financial Reporting 

C. Financial Systems Security 

D. Fund Balance with Treasury 



Summary 



E. 
F. 
G. 



Capital Assets and Supplies 
Actuarial and Other Liabilities 
Budgetary Accounting 



Other Significant Deficiency 



H. 



Custodial Revenue and Drawback 



Non-compliance with Laws and Regulations 



I. Federal Managers' Financial Integrity Act of 1982 (FMFIA) 

J. Federal Financial Management Improvement Act of 1996 (FFMIA) 

K. Single Audit Act Amendments of 1996, and laws and regulations supporting OMB Circular 

No. A-50, Audit Follow-up, as revised 
L. Improper Payments Information Act of 2002 (IPIA) 
M. Chief Financial Officers Act of 1990 
N. Government Performance and Results Act of 1993 (GPRA) 
O. Debt Collection Improvement Act of 1996 (DCIA) 
P. Anti-deficiency Act 

Moving DHS' Financial Management Forward 

While the auditors' noted improvement toward correction of internal control weaknesses, the 
Department was unable to represent that its financial statements as of, and for the year ended, 
September 30, 2007, were presented in conformity with U.S. generally accepted accounting 
principles. The U.S. Coast Guard, (USCG), DHS-HQ / Office of Financial Management (OFM), 
and Federal Emergency Management Agency (FEMA), were unable to provide sufficient evidence 
to support account balances presented in the financial statements and collectively contributed to the 
auditors' inability to render an opinion. 

However, OFM has fully corrected its material weakness in Financial Management and Entity Level 
Controls reported in FY 2006. Additionally, in FY 2007 OFM, Immigration and Customs 
Enforcement (ICE), Customs and Border Protection (CBP), US-Visit and the Federal Law 
Enforcement Training Center (FLETC) mitigated the severity of their financial systems security 
material weaknesses through corrective actions implemented during 2006 and 2007, but have not 
completely resolved their financial systems security control weaknesses as of September 30, 2007. 

The Coast Guard began FY 2007 with a focus on financial management oversight, financial 
reporting, and fund balance with Treasury. However, the Coast Guard was not able to fully 
remediate prior year control weaknesses, and the auditors again reported that the Coast Guard 
contributed to all seven material weaknesses, and did not have an organizational structure that fully 
supported the development and implementation of effective policies, procedures, and internal 
controls. Management officials within the Coast Guard acknowledged to the auditors that 



longstanding procedural, control, personnel, and cultural issues existed and had impeded their 
progress in installing an effective financial management structure. The auditors' reported that the 
Coast Guard's personnel rotation policy, among other issues, made it difficult for the Coast Guard's 
Chief Financial Officer to institutionalize internal controls related to financial management and 
reporting. 

Conditions at FEMA deteriorated in FY 2007 with FEMA now contributing to six material 
weaknesses instead of two material weaknesses in FY 2006. The auditors identified that FEMA has 
not established a financial management organizational structure, with clear oversight and 
supervisory review functions that support the development and implementation of effective policies, 
procedures, and internal controls over financial reporting, to ensure that accounting principles are 
correctly applied, and accurate financial data is submitted to OFM for consolidation in a timely 
manner. The auditors also noted that the FEMA Chief Financial Officer does not have clearly 
defined and complete authority and responsibility for all financial accounting policy, processes and 
control functions throughout the agency. 

Many of the DHS' difficulties in financial management and reporting can be attributed to the 
original stand-up of a large, new, and complex executive branch agency without adequate 
organizational expertise in financial management and accounting. Although the Department made 
strides in remediating weaknesses during FY 2007, it has committed to focusing on remediation 
efforts at USCG and FEMA, while sustaining progress made throughout FY 2007. Additionally, the 
department remains committed to obtaining additional human resources and other critical 
infrastructure necessary to develop reliable financial processes, policies, procedures, and internal 
controls that will enable management to represent that financial statements are complete and 
accurate. These resources and infrastructure are critical to the implementation of effective corrective 
actions and to establishing an effective financial management oversight function. During the past 
year, the Department and its components continued the extensive effort to develop meaningful 
corrective action plans to address specific material internal control weaknesses. We are evaluating 
the effectiveness of those corrective action plans in a separate series of audits. 

KPMG is responsible for the attached independent auditor's report dated November 15, 2007, and 
the conclusions expressed in the report. We do not express opinions on financial statements or 
internal control or conclusions on compliance with laws and regulations. 

Consistent with our responsibility under the Inspector General Act, we are providing copies of this 
report to appropriate congressional committees with oversight and appropriation responsibilities over 
the Department. In addition, we will post a copy of the report on our public website. 

We request that each of the Department's chief financial officers provide us with a corrective action 
plan that demonstrates their progress in addressing the report's recommendations. 



We appreciate the cooperation extended to the auditors by the department's financial offices. 
Should you have any questions, please call me, or your staff may contact Anne Richards, Assistant 
Inspector General for Audits, at 202-254-4100. 



Attachment 



KPMG LLP 

2001 M Street, NW 
Washington, DC 20036 



INDEPENDENT AUDITORS' REPORT 



Secretary and Inspector General 

U.S. Department of Homeland Security: 

We were engaged to audit the accompanying balance sheets of the U.S. Department of Homeland 
Security (DHS or Department) as of September 30, 2007 and 2006, and the related statements of 
custodial activity for the years then ended (referred to herein as "financial statements"). In connection 
with our fiscal year 2007 audit, we also considered DHS' internal controls over financial reporting, and 
DHS' compliance with certain provisions of applicable laws, regulations, contracts, and grant 
agreements that could have a direct and material effect on these financial statements. We were not 
engaged to audit the accompanying statements of net cost, changes in net position, and budgetary 
resources, for the years ended September 30, 2007 and 2006 (referred to herein as "other fiscal year 
2007 and 2006 financial statements"). 

Summary 

As discussed in our report on the financial statements, the scope of our work was not sufficient to 
express an opinion on the DHS balance sheets as of September 30, 2007 and 2006, or the related 
statements of custodial activity for the years then ended. 

In fiscal year 2007, DHS changed its method of reporting the reconciliation of budgetary resources 
obligated to the net cost of operations, and changed its method of reporting certain mixed funding 
budgetary authority. 

Our consideration of internal control over financial reporting resulted in the following conditions being 
identified as significant deficiencies: 

A. Financial Management and Entity Level Controls 

B. Financial Reporting 

C. Financial Systems Security 

D. Fund Balance with Treasury 

E. Capital Assets and Supplies 

F. Actuarial and Other Liabilities 

G. Budgetary Accounting 

H. Custodial Revenue and Drawback 

We consider significant deficiencies A through G, above, to be material weaknesses. 

We noted that DHS did not present five years of Required Supplemental Stewardship Information 
(RSSI) information, as required by U.S. generally accepted accounting principles. 

The results of our tests of compliance with certain provisions of laws, regulations, contracts, and grant 
agreements disclosed the following instances of noncompliance or other matters that are required to be 
reported under Government Auditing Standards, issued by the Comptroller General of the United 
States, and Office of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for 
Federal Financial Statements'. 

I. Federal Managers ' Financial Integrity Act of 1982 (FMFIA) 

J. Federal Financial Management Improvement Act of 1996 (FFMIA) 



K. Single Audit Act Amendments of 1996, and Laws and Regulations Supporting OMB Circular 

No. A-50, Audit Follow-up, as revised 
L. Improper Payments Information Act of 2002 
M. Chief Financial Officers Act of 1990 
N. Government Performance and Results Act of 1993 
O. Debt Collection Improvement Act of 1996 
P. Anti-deficiency Act 

We also reported other matters related to compliance with the Anti-deficiency Act at the National 
Protection and Programs Directorate (NPPD) and at the Federal Law Enforcement Training Center 
(FLETC). 

Other internal control matters and other instances of non-compliance may have been identified and 
reported had we been able to perform all procedures necessary to express an opinion on the DHS 
balance sheets as of September 30, 2007 and 2006, and the related statements of custodial activity for 
the years then ended, and had we been engaged to audit the other fiscal year 2007 and 2006 financial 
statements. 

The following sections discuss the reasons why we are unable to express an opinion on the 
accompanying DHS balance sheets as of September 30, 2007 and 2006, and on the statements of 
custodial activity for the years then ended; our consideration of DHS' internal control over financial 
reporting; our tests of DHS' compliance with certain provisions of applicable laws, regulations, 
contracts, and grant agreements and other matters; and management's and our responsibilities. 

Report on the Financial Statements 

We were engaged to audit the accompanying balance sheets of the U.S. Department of Homeland 
Security as of September 30, 2007 and 2006, and the related statements of custodial activity for the 
years then ended. We were not engaged to audit the accompanying statements of net cost, changes in 
net position, and budgetary resources for the years ended September 30, 2007 and 2006. 

The United States Coast Guard (Coast Guard) was unable to provide sufficient evidential matter or 
make knowledgeable representations of facts and circumstances, that support transactions and account 
balances of the Coast Guard, as presented in the DHS balance sheets at September 30, 2007 and 2006; 
particularly with respect to fund balance with Treasury, accounts receivable, inventory and related 
property, certain categories of property, plant and equipment, actuarially-derived liabilities, 
environmental and other liabilities, undelivered orders and changes in net position, and adjustments, 
both manual and automated, made as part of Coast Guard's financial reporting process. The Coast 
Guard was unable to complete corrective actions, and make adjustments, as necessary, to these and 
other balance sheet amounts, prior to the completion of the DHS 2007 Annual Financial Report (AFR). 
Because of the significance of these account balances and/or transactions and conditions noted above, 
Coast Guard management was unable to represent that the Coast Guard's balance sheets as of 
September 30, 2007 and 2006, were fairly stated in conformity with U.S. generally accepted accounting 
principles. The total assets of Coast Guard, as reported in the accompanying DHS balance sheet, were 
$15.9 billion and $12.5 billion, or 20 percent and 16 percent of total DHS consolidated assets as of 
September 30, 2007 and 2006, respectively. 

DHS Office of Financial Management (OFM) and certain DHS components were unable to reconcile 
intragovernmental transactions and balances with other Federal trading partners totaling approximately 
$1.5 billion as of September 30, 2007, prior to the completion of the DHS 2007 AFR. In addition, DHS 
was unable to provide sufficient evidential matter to support its recording of $1.5 billion in both fund 
balance with Treasury and undelivered orders at September 30, 2007, resulting from a budgetary 
allocation transfer made by the Office of Health Affairs (OHA), a DHS component, to another Federal 
agency, in fiscal year 2007. Because of the significance of this allocation transfer, DHS management 
was unable to represent that the balance sheet of OHA is fairly stated in conformity with U.S. generally 
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accepted accounting principles at September 30, 2007. The total assets of OHA, as reported in the 
accompanying DHS balance sheet as of September 30, 2007, were $3.3 billion or 4 percent of total 
DHS consolidated assets. In fiscal year 2006, OFM and certain DHS components were unable to 
provide sufficient evidential matter supporting the completeness and accuracy of the Department's 
accrued legal liability totaling $71 million as of September 30, 2006, and related contingent legal 
liabilities as disclosed in Note 21 to the financial statements; reconcile intragovernmental transactions 
and balances with other Federal trading partners totaling $3.5 billion, as of September 30, 2006; or 
provide sufficient evidential matter or make knowledgeable representations of the facts and 
circumstances that support its implementation of Statement of Federal Financial Accounting Standard 
(SFFAS) No. 27, Identifying and Reporting Earmarked Funds, prior to the completion of DHS' 2006 
Performance and Accountability Report (PAR). 

Federal Emergency Management Agency (FEMA) was unable to fully support the accuracy and 
completeness of certain stockpiled supplies, unpaid obligations related to mission assignments, and 
certain grants payable/advances, and the related effects on net position, if any, prior to the completion 
of the DHS 2007 AFR. The stockpiled supplies, as reported in the accompanying DHS balance sheet as 
of September 30, 2007 were $243 million or 38 percent of DHS' consolidated inventory and related 
property. FEMA's unpaid obligations related to mission assignments, as reported in the accompanying 
DHS balance sheet as of September 30, 2007, were $2.6 billion or 5 percent of DHS' consolidated 
unexpended appropriations. FEMA's net grants payable/advances, as reported in the DHS balance 
sheet as of September 30, 2007, were $149 million or 3 percent of DHS' consolidated accounts payable. 
The total net position of FEMA as reported in the accompanying DHS balance sheet as of September 
30, 2007, was $ 10. 1 billion or 12.8 percent of DHS' consolidated liabilities and net position. In fiscal 
year 2006, FEMA was unable to fully support the accuracy and completeness of certain unpaid 
obligations and accounts payable, and the related effect on net position, if any, prior to the completion 
of DHS' 2006 PAR. FEMA's unpaid obligations, as reported in the accompanying DHS balance sheet 
as of September 30, 2006, were $22.3 billion or 46 percent of DHS' consolidated unexpended 
appropriations. FEMA's accounts payable, as reported in the DHS balance sheet as of September 30, 
2006, were $1 .5 billion or 33 percent of DHS' consolidated accounts payable. The total net position of 
FEMA as reported in the accompanying DHS balance sheet as of September 30, 2006, was $1 1.2 
billion or 14 percent of DHS' consolidated liabilities and net position. 

In fiscal year 2006, Transportation Security Administration (TSA) was unable to provide sufficient 
evidential matter or make knowledgeable representations of facts and circumstances that support certain 
transactions and account balances of TSA, as presented in the DHS balance sheet at September 30, 
2006, particularly with respect to property and equipment, accounts payable, accrued unfunded 
employee leave, and the components of net position. Because of the significance of these account 
balances and/or transactions and conditions noted above, TSA management was unable to represent that 
TSA's balance sheet as of September 30, 2006, was fairly stated in conformity with U.S. generally 
accepted accounting principles. The total assets of TSA as reported in the accompanying DHS balance 
sheet as of September 30, 2006, were $4.1 billion or 5 percent of DHS consolidated assets. 

In fiscal year 2006, Immigration and Customs Enforcement (ICE), was unable to fully support the 
accuracy and completeness of certain accounts payable and undelivered orders, and the related effect on 
net position, if any, prior to the completion of the DHS 2006 PAR. ICE's accounts payable and 
undelivered orders, as reported in the accompanying DHS balance sheet as of September 30, 2006, 
were $319 million or 7 percent of DHS' consolidated total accounts payable, and $1.2 billion or 2.5 
percent of DHS' consolidated unexpended appropriations, respectively. 

In fiscal year 2006, the Management Directorate was unable to fully support the accuracy and 
completeness of certain accounts payable and undelivered orders, and the related effect on net position, 
if any, prior to the completion of the DHS 2006 PAR. The Management Directorate's accounts payable 
and undelivered orders, as reported in the accompanying DHS balance sheet as of September 30, 2006, 
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were $60 million or 1.3 percent of consolidated total accounts payable, and $527 million or 1 1 percent 
of DHS consolidated unexpended appropriations, respectively. 

In addition, we were unable to obtain appropriate representations from DHS management, regarding the 
matters described above, including certain representations as to compliance with U.S. generally 
accepted accounting principles, with respect to the accompanying DHS balance sheets and related 
statements of custodial activity as of and for the years ended September 30, 2007 and 2006, and were 
unable to determine the effect of the lack of such representations on the 2007 and 2006 DHS' financial 
statements. 

It was impractical to extend our procedures sufficiently to determine the extent, if any, to which the 
DHS balance sheets as of September 30, 2007 and 2006, and the related statements of custodial activity 
for the years then ended, may have been affected by the matters discussed in the seven preceding 
paragraphs. Accordingly, the scope of our work was not sufficient to enable us to express, and we do 
not express, an opinion on these financial statements. 

We were not engaged to audit the accompanying statements of net cost, changes in net position, and 
budgetary resources for the years ended September 30, 2007 and 2006, and accordingly, we do not 
express an opinion on these financial statements. 

As discussed in Note 34, DHS restated its fiscal year 2006 financial statements to correct multiple 
errors identified by TSA, ICE, NPPD, United States Citizenship and Immigration Services, Science and 
Technology Directorate, FLETC, and Management Directorate that required adjustment of balances 
previously reported in DHS' fiscal year 2006 financial statements. Because of the matters discussed 
above regarding our fiscal year 2006 audit, and the control deficiencies described in our report on 
internal control over financial reporting, we were unable to audit the restatements discussed in Note 34, 
and accordingly, we have not concluded on the appropriateness of this accounting treatment or the 
restatement of the DHS balance sheet as of September 30, 2006. 

As discussed in Notes 35 and 36 to the financial statements, in fiscal year 2007, DHS changed its 
method of reporting the reconciliation of budgetary resources obligated to the net cost of operations and 
changed its method of reporting certain mixed funding budgetary authority. 

The information in the Management's Discussion and Analysis (MD&A), RSSI, and Required 
Supplementary Information (RSI) sections of the DHS AFR is not a required part of the financial 
statements, but is supplementary information required by U.S. generally accepted accounting principles 
and OMB Circular A- 136. We were unable to complete limited procedures over MD&A, RSSI, and RSI 
as prescribed by professional standards, because of the limitations on the scope of our audit described in 
the previous paragraphs of this section of our report. Certain information presented in the MD&A, 
RSSI, and RSI is based on fiscal year 2007 and 2006 financial statements on which we have not 
expressed an opinion. We did not audit the MD&A, RSSI, and RSI and, accordingly, we express no 
opinion on it. However, in fiscal year 2007, we noted that DHS did not present five years of RSSI 
information that U.S. generally accepted accounting principles has determined is necessary to 
supplement, although not required to be part of, the financial statements. 

The information in pages 12 through 23, Section II - Performance Achievements and Key Performance 
Measures, Section IV - Other Accompanying Information, and Section V - Appendices, of DHS' 2007 
AFR are presented for purposes of additional analysis, and are not a required part of the financial 
statements. This information has not been subjected to auditing procedures, and accordingly, we 
express no opinion on it. 

Internal Control over Financial Reporting 

Our consideration of the internal control over financial reporting was for the limited purpose described 
in the Responsibilities section of this report and would not necessarily identify all deficiencies in the 
internal control over financial reporting that might be significant deficiencies or material weaknesses. 
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A control deficiency exists when the design or operation of a control does not allow management or 
employees, in the normal course of performing their assigned functions, to prevent or detect 
misstatements on a timely basis. A significant deficiency is a control deficiency, or combination of 
control deficiencies, that adversely affects DHS' ability to initiate, authorize, record, process, or report 
financial data reliably in accordance with U.S. generally accepted accounting principles such that there 
is more than a remote likelihood that a misstatement of DHS' financial statements that is more than 
inconsequential will not be prevented or detected by DHS' internal control over financial reporting. A 
material weakness is a significant deficiency, or combination of significant deficiencies, that results in 
more than a remote likelihood that a material misstatement of the financial statements will not be 
prevented or detected by DHS' internal control. 

Significant deficiencies in internal control over financial reporting and its operation are described in 
Exhibits I, II, and III. Deficiencies that are considered to be material weaknesses at the Coast Guard, 
when aggregated at the consolidated level, are presented in Exhibit I. Deficiencies that are considered 
to be material weaknesses at DHS-Headquarters (HQ), OFM, and all other DHS components, when 
aggregated at the consolidated level, are presented in Exhibit II. Exhibit III presents other significant 
deficiencies that are not considered to be material weaknesses. As discussed in the Report on the 
Financial Statements section, the scope of our work was not sufficient to express an opinion on the 
balance sheets as of September 30, 2007 and 2006, and the related statements of custodial activity for 
the years then ended, and accordingly, other internal control matters may have been identified and 
reported had we been able to perform all procedures necessary to express an opinion on those financial 
statements, and had we been engaged to audit the other fiscal year 2007 and 2006 financial statements. 
A summary of the status of fiscal year 2006 reportable conditions is included as Exhibit V. 

We also noted certain additional matters involving internal control over financial reporting and its 
operation that we will report to the management of DHS in a separate letter. 

Compliance and Other Matters 

Our tests of compliance with certain provisions of laws, regulations, contracts, and grant agreements, as 
described in the Responsibilities section of this report, exclusive of those referred to in the FFMIA, 
disclosed eight instances of noncompliance that are required to be reported under Government Auditing 
Standards or OMB Bulletin No. 07-04, and are described in Exhibit IV. 

The results of our tests of compliance exclusive of those referred to in FFMIA, disclosed no other 
instances of noncompliance or other matters that are required to be reported under Government 
Auditing Standards or OMB Bulletin No. 07-04. 

The results of our tests of FFMIA, disclosed instances described in Exhibits I, II and III where DHS' 
financial management systems did not substantially comply with Federal financial management systems 
requirements, applicable Federal accounting standards, and the United States Government Standard 
General Ledger at the transaction level. 

As discussed in our report on the financial statements, the scope of our work was not sufficient to express 
an opinion on the balance sheets as of September 30, 2007 and 2006, and the related statements of 
custodial activity for the years then ended, and accordingly, other instances of non-compliance with laws, 
regulations, contracts, and grant agreements may have been identified and reported, had we been able to 
perform all procedures necessary to express an opinion on those financial statements, and had we been 
engaged to audit the other fiscal year 2007 and 2006 financial statements. 

Other Matters. NPPD management has initiated a review of the classification and use of certain funds 
that may identify a violation of the Anti-deficiency Act, or other violations of appropriation law in fiscal 
year 2007 or in previous years. In addition, FLETC management has initiated a review of the 
classification of certain liabilities, recorded in their accounting records that may identify a violation of 
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the Anti-deficiency Act, or other violations of appropriation law that may have occurred during fiscal 
year 2007 or during previous years. 

Management's Response to Internal Control and Compliance Findings 

DHS management has indicated, in a separate letter immediately following this report, that it concurs 
with the findings presented in Exhibits I, II, III, and IV of our report. We did not audit DHS's response 
and, accordingly, we express no opinion on it. 

Responsibilities 

Management's Responsibilities. The United States Code, Title 31, Sections 3515 and 9106 require 
agencies to report annually to Congress on their financial status and any other information needed to 
fairly present their financial position and results of operations. To meet these reporting requirements, 
DHS prepares and submits financial statements in accordance with OMB Circular No. A- 136. 

Management is responsible for the financial statements, including: 

• Preparing the financial statements in conformity with U.S. generally accepted accounting 
principles; 

• Preparing the MD&A (including the performance measures), RSI, and RSSI; 

• Establishing and maintaining effective internal control; and 

• Complying with laws, regulations, contracts, and grant agreements applicable to DHS, 
including FFMIA. 

In fulfilling this responsibility, management is required to make estimates and judgments to assess the 
expected benefits and related costs of internal control policies. 

Auditors' Responsibilities. As discussed in the report on the financial statements section, the scope of 
our work was not sufficient to enable us to express, and we do not express, an opinion on the DHS 
balance sheets as of September 30, 2007 and 2006, or on the related statements of custodial activity for 
the years then ended; and we were not engaged to audit the accompanying statements of net cost, 
changes in net position, and budgetary resources for the years ended September 30, 2007 and 2006. 

In connection with our fiscal year 2007 engagement, we considered DHS ' internal control over 
financial reporting by obtaining an understanding of DHS' internal control, determining whether 
internal controls had been placed in operation, assessing control risk, and performing tests of controls in 
order to determine our procedures. We limited our internal control testing to those controls necessary 
to achieve the objectives described in Government Auditing Standards and OMB Bulletin No. 07-04. 
We did not test all internal controls relevant to operating objectives as broadly defined by the FMFIA. 
The objective of our engagement was not to provide an opinion on the effectiveness of DHS' internal 
control over financial reporting. Accordingly, we do not express an opinion on the effectiveness of 
DHS' internal control over financial reporting. Further, other matters involving internal control over 
financial reporting may have been identified and reported had we been able to perform all procedures 
necessary to express an opinion on the DHS balance sheet as of September 30, 2007, and the related 
statement of custodial activity for the year then ended, and had we been engaged to audit the other 
fiscal year 2007 financial statements. 

In connection with our fiscal year 2007 engagement, we performed tests of DHS' compliance with 
certain provisions of laws, regulations, contracts, and grant agreements, noncompliance with which 
could have a direct and material effect on the determination of the balance sheet amounts as of 
September 30, 2007, and the related statement of custodial activity for the year then ended, and certain 
provisions of other laws and regulations specified in OMB Bulletin No. 07-04, including certain 
provisions referred to in FFMIA. We limited our tests of compliance to the provisions described in the 
preceding sentence, and we did not test compliance with all laws, regulations, contracts, and grant 
agreements applicable to the DHS. However, providing an opinion on compliance with laws, 
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regulations, contracts, and grant agreements was not an objective of our engagement and, accordingly, 
we do not express such an opinion. In addition, other matters involving compliance with laws, 
regulations, contracts, and grant agreements may have been identified and reported had we been able to 
perform all procedures necessary to express an opinion on the DHS balance sheet as of September 30, 
2007, and the related statement of custodial activity for the year then ended, and had we been engaged 
to audit the other fiscal year 2007 financial statements. 

Under OMB Bulletin No. 07-04 and FFMIA, we are required to report whether DHS' financial 
management systems substantially comply with (1) Federal financial management systems 
requirements, (2) applicable Federal accounting standards, and (3) the United States Government 
Standard General Ledger at the transaction level. To meet this requirement, we performed tests of 
compliance with FFMIA Section 803(a) requirements. However, as discussed in our report on the 
financial statements, the scope of our work was not sufficient to express an opinion on the balance sheet 
as of September 30, 2007, and the related statement of custodial activity for the year then ended, and 
accordingly, other instances of non-compliance may have been identified and reported, had we been 
able to perform all procedures necessary to express an opinion on the those financial statements, and 
had we been engaged to audit the other fiscal year 2007 financial statements. 

Restricted Use 

This report is intended solely for the information and use of DHS management, DHS Office of 
Inspector General, OMB, U.S. Government Accountability Office, and the U.S. Congress, and is not 
intended to be and should not be used by anyone other than these specified parties. 




November 15, 2007 
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Independent Auditors' Report 

Introduction to Exhibits on Internal Control and Compliance and Other Matters 



Our report on internal control over financial reporting and compliance and other matters is 
presented in accordance with Government Auditing Standards, issued by the Comptroller General 
of the United States. The internal control weaknesses, and findings related to compliance with 
certain laws, regulations, contacts, and grant agreements presented herein were identified during 
our engagement to audit the Department of Homeland Security (DHS or Department) balance 
sheet and related statement of custodial activity as of and for the year ended September 30, 2007. 
We were not engaged to audit the Department's fiscal year 2007 statements of net cost, changes 
in net position, and budgetary resources (referred to as other fiscal year 2007 financial 
statements). Our findings and the status of prior year findings are presented in five exhibits: 

Exhibit I Significant deficiencies in internal control identified at the Coast Guard. All of the 
significant deficiencies reported in Exhibit I are considered material weaknesses 
that individually, or when combined with other significant deficiencies reported in 
Exhibit II, are considered material weaknesses at the DHS consolidated financial 
statement level. 

Exhibit II Significant deficiencies in internal control identified at other DHS components and 
the Office of the Chief Financial Officer (collectively referred to as DHS Civilian 
Components). All of the significant deficiencies reported in Exhibit II are 
considered material weaknesses that individually, or when combined with other 
significant deficiencies reported in Exhibit I, are considered material weaknesses at 
the DHS consolidated financial statement level. 

Exhibit III A significant deficiency that is not considered a material weakness at the DHS 
consolidated financial statement level. 

Exhibit IV Instances of noncompliance with certain laws, regulations, contracts, and grant 

agreements that are required to be reported under Government Auditing Standards 
or Office of Management and Budget (OMB) Bulletin No. 07-04, Audit 
Requirements for Federal Financial Statements. 

Exhibit V The status of our findings reported in fiscal year 2006. 

As stated in our Independent Auditors' Report, our consideration of internal control over financial 
reporting would not necessarily disclose all matters that might be significant deficiencies or 
instances of noncompliance. We were not engaged to audit the other 2007 financial statements. 
In addition, the scope of our work was not sufficient to express an opinion on the financial 
statements that we were engaged to audit; consequently, other internal control matters and 
instances of noncompliance may have been identified and reported had we been engaged to audit 
all of the FY 2007 financial statements, and had we been able to perform all procedures necessary 
to express an opinion on those financial statements. 

The determination of which findings rise to the level of a material weakness is based on an 
evaluation of how all component conditions, considered in aggregate, may affect the DHS 
balance sheet as of September 30, 2007 or the related statement of custodial activity for the year 
then ended. 

We have also performed follow-up procedures on findings identified in previous engagements to 
audit the DHS financial statements. All of the material weaknesses identified and reported in 
Exhibit I for the Coast Guard are repeated from our FY 2005 and FY 2006 report, and include 
updates for new findings resulting from our 2007 audit procedures. To provide trend information 
for the DHS Civilian Components, Exhibit II contains a Trend Table next to the heading of each 
finding, except Exhibit II-C, Financial Systems Security. The Trend Table depicts the level and 
current status of findings, by component, that have contributed to that finding from 2005 through 
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2007. Significant deficiencies and material weaknesses, by component, included in the Exhibit II 
trend tables, are presented below. 

The table below presents a summary of our internal control findings, by component, for fiscal 
year 2007. We have reported seven material weaknesses at the Department level in 2007, which 
is reduced from ten reported in 2006. While the DHS Civilian Components have made substantial 
progress in correcting control deficiencies, as shown in the Trend Tables in Exhibit II, the 
reduction in material weaknesses at the Department level in 2007 is due to a consolidation of 
findings into fewer, but broader categories for reporting purposes. 



SUMMARIZED DHS FV 2007 INTERNAL CONTROL FINDINGS 



Material Weaknesses 



A Financial Management & ELC 

B Financial Reporting 

C Financial Systems Security 

D Fund Balance With Treasury 

E Capital Assets and Supplies 

F Actuarial and Other Liabilities 

G Budgetary Accounting 



Significant Deficiencies 



H Custodial Revenue and Drawback 



Coast 
Guard 



Exhibit I 



MW 



MW 



MW 



MW 



MW 



MW 
MW 



DHS 
HQ 



CBP 



FEMA 



ICE 



Exhibit II 



US- 
Visit 



TSA 



FLETC 







MW 










MW 




MW 






SD 




SD 


SD 




SD 






SD 






















SD 


SD 








MW 






SD 








MW 









Exhibit III 



SD 



Significant Deficiency (SD's in Exhibit II contribute to Department level material weakness ) 

Material Weakness (individually, or when combined with other findings, result in Department level material weakness) 



All components of DHS, as defined in Note 1A - Reporting Entity, to the financial statements, 
were included in the scope of our engagement to audit the consolidated balance sheet of DHS as 
of September 30, 2007 and the related statement of custodial activity for the year then ended. 
Accordingly, our audit considered significant account balances and transactions of other DHS 
components not listed above. Control deficiencies identified in other DHS components that are 
not identified in the table above, did not individually, or when combined with other component 
findings, contribute to a reportable control deficiency at the DHS consolidated financial statement 
level. 
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I-A Financial Management and Entity-Level Controls 

Background: In FY 2006, we reported that significant weaknesses in financial management 
oversight hindered the United States Coast Guard's (Coast Guard) ability to prepare accurate, 
complete, and timely financial information. Those conditions have not been corrected and 
continue to affect Coast Guard's financial management and reporting processes. During FY 2007, 
the Coast Guard developed a Corrective Action Plan (CAP) called the Financial Strategy for 
Transformation and Audit Remediation (FSTAR) to address the conditions described below, and 
throughout this Exhibit. However, significant steps to correct the conditions that cause the 
material weaknesses in internal control are not planned until after 2007. 

Conditions: Many of the conditions described below are indicators of a weak control 
environment or entity-level controls. The control environment begins at the top with the 
Commandant, and permeates the organization with a mindset of quality, care, and commitment of 
resources to reasonably ensure the integrity of the Coast Guards' financial processes, controls, 
and information technology (IT) systems. We noted the following conditions related to the 
control environment which existed in prior years, and have been updated for this report. 

The Coast Guard has not fully implemented a financial management organizational structure 
where: 

• U.S. generally accepted accounting principles (GAAP) are applied and financial statement 
balances are appropriately supported, resulting in the Coast Guard not being able to assert 
to the completeness, existence (validity), accuracy, valuation, or presentation of their 
financial data. 

• Appropriate and clear internal reporting relationships have been established resulting in 
effective financial guidance and oversight over internal and external distribution of 
financial information, particularly related to the Federal Managers' Financial Integrity 
Act of 1982 (FMFIA). 

• Clear and complete authority and responsibility for all financial accounting policy, 
processes, and control functions vests with the Coast Guard Chief Financial Officer 
(CFO). 

• Financial management oversight functions, complete with an organizational chart, job 
descriptions, roles and responsibilities, and skill sets required, are defined. 

• The financial management infrastructure is appropriately staffed with experienced 
financial managers and staff, to expeditiously identify and address control weaknesses, 
and develop and implement effective policies, procedures, and internal controls to ensure 
that data supporting financial statement assertions are complete and accurate. 

• The objectives of sound fiscal management, as defined by various government sources, 
described in the criteria section below, are embraced by all officers and personnel of the 
Coast Guard. 

Cause/Effect: The Coast Guard's management has acknowledged that longstanding procedural, 
control, personnel, and cultural issues have impeded progress toward installing an effective 
financial management structure. In addition, the Coast Guard's CFO must coordinate with heads 
of various divisions who have a role in the accounting and financial reporting processes, but who 
otherwise have limited exposure to financial statement audits. Further, these division heads 
change regularly as part of the Coast Guard military assignment and rotation polices, making it 
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difficult for the CFO to institutionalize internal controls related to financial management and 
reporting that are outside the CFO's direct organization. The conditions described above continue 
to prevent the Coast Guard and DHS from timely preparation of accurate financial information 
and reports and have also contributed to the conditions reported in Exhibit I-B, Financial 
Reporting, as well as other material weaknesses described in this Exhibit. 

Criteria: OMB Circular No. A- 123, Revised, Management's Responsibility for Internal Control, 
defines internal controls as the organization, policies, and procedures used by agencies to 
reasonably ensure that (i) programs achieve their intended results; (ii) resources are used 
consistent with agency mission; (iii) programs and resources are protected from waste, fraud, and 
mismanagement; (iv) laws and regulations are followed; and (v) reliable and timely information 
is obtained, maintained, reported, and used for decision making. 

FMFIA requires that agencies establish internal controls according to standards prescribed by the 
Comptroller General and specified in the Government Accountability Office's (GAO) Standards 
for Internal Control in the Federal Government (Standards). The GAO defines internal control 
as an integral component of an organization's management that provides reasonable assurance 
that the following objectives are achieved: effectiveness and efficiency of operations, reliability 
of financial reporting, and compliance with applicable laws and regulations. 

The GAO Standards identify the control environment, as one of the five key elements of control, 
which emphasizes the importance of control conscientiousness in management's operating 
philosophy and commitment to internal control. These standards cover controls such as human 
capital practices, supervisory reviews, and segregation of duties, policies, procedures, and 
monitoring. 

OMB Circular No. A-50, Audit Follow-up, as revised, states that corrective action taken by 
management on audit findings and recommendations is essential to improving the effectiveness 
and efficiency of Government operations. Each agency shall establish systems to assure the 
prompt and proper resolution and implementation of audit recommendations. These systems shall 
provide for a complete record of action taken on both monetary and nonmonetary findings and 
recommendations. 

Recommendations: We recommend that the Coast Guard: 

1 . Initialize the CAP/FSTAR process with an assessment of the control environment (entity- 
level controls), develop effective corrective actions, and implement improved financial 
processes and systems; 

2. Delegate responsibility for sound fiscal management centrally with the CFO who has full 
authority to implement change as needed, including new policies, procedures, controls and IT 
systems requirements, to have the ability, and appropriate resources for Coast Guard financial 
management and reporting functions; 

3. Engage an expert from outside the organization to evaluate the existing financial management 
organizational and internal control structure. The organizational specialist should conduct an 
assessment of the financial management organizational structure to consider the conditions 
cited above. In addition, the organizational specialist should consider other conditions 
identified in Exhibit I-B, Financial Reporting, below, such as the number and type of 
personnel and resources needed, along with the requisite skills and abilities necessary, to 
provide effective guidance and oversight to program offices that are significant to financial 
management and reporting, and make recommendations to senior management for 
appropriate changes; and 
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4. Ensure that its CAP/FSTAR actions as designed and performed are: 

a) Effective in addressing all of the material weakness described in this Exhibit; and 

b) Coordinated and prioritized with the input from Departments CFO to address matters that 
are preventing the Department from preparing reliable financial statements and executing 
its fiscal management responsibilities. 

I-B Financial Reporting 

Background: In FY 2006, we reported that the Coast Guard had numerous internal control 
weaknesses that led to a material weakness in financial reporting. While the Coast Guard 
developed FSTAR to address the control weaknesses, they were not able to make substantial 
progress in execution of their corrective actions, and, consequently, many of the conditions 
reported in prior years are repeated below. 

Conditions: The Coast Guard: 

• Has not developed and implemented an effective general ledger system. The Core 
Accounting System (CAS), Aircraft Logistics Management Information System 
(ALMIS), and Naval Engineering Supply Support System (NESSS) general ledgers are 
significantly noncompliant with the requirements of the Federal Financial Management 
Improvement Act (FFMIA). Specifically: 

The general ledgers are not compliant with the United States Standard General Ledger 
(USSGL) at the transaction level, include noncompliant chart of account definitions, 
invalid accounts, improper posting logic codes and inconsistent crosswalks to the 
Coast Guard Treasury Information Executive Repository (TIER) database. The 
general ledgers also have static balances related to a legacy general ledger conversion 
and unsubstantiated automated changes to CAS financial data through the use of 
hundreds of scripts, implemented without effective controls to correct system 
problems; 

The Coast Guard's TIER submissions to the Department's Office of Financial 
Management (OFM) are from a database that does not have detail at the transactional 
level, and is not reconciled or supported by the transaction level detail in the Coast 
Guard's three general ledgers; and 

The financial reporting process is overly complex and labor intensive, and requires a 
significant number of "on-top" adjustments (adjustments made outside the core 
accounting system for presentation of financial information given to the Department 
for consolidation). These topside adjustments are not supported at the transaction 
level and are not recorded to the respective general ledgers at a detailed transactional 
level. Thus, period-end and opening balances are only supported by the Coast Guard 
TIER database, and the three general ledgers do not support the financial statements. 

• Has significant deficiencies in its policies, procedures, and controls surrounding its 
financial reporting process. For example, the Coast Guard does not have 

Effective procedures to support beginning balance, year-end close out and the 
cumulative results of operation analysis; 

A process to record all financial transactions, in detail at the transactional level, to the 
general ledger systems; 
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Effective policies and procedures to identify the cause and resolve abnormal balances 
and account relationship discrepancies, e.g., budgetary to proprietary reconciliations, 
and identified potential errors in its financial data; 

Effective procedures and internal controls over the process of preparing and reviewing 
adjustments to account balances, and financial statement disclosures, and uses high- 
level analytical comparisons to identify adjusting entries; 

Effective procedures to assess potential financial system problems, such as potential 
posting logic errors and automated changes to financial data through scripts (system 
modifications); 

- Fully effective and accurate reporting tools for financial data analysis (Facts & 
Figures Quick Report Tool); 

An effective process to record, review, and monitor accounts receivable activity; 

Effective policies, procedures, and internal controls to compile, support, review, and 
report financial statement disclosures submitted for incorporation in the DHS 
financial statements, to include the effective completion the GAO Disclosure 
Checklist and valid support for the preparation of statement of net cost disclosure; and 

A validated, comprehensive process, to include effective internal controls, to fully 
track and reconcile intragovernmental transactions with its Federal trading partners, 
especially those outside DHS, and to determine that Coast Guard intragovernmental 
balances, as reported in the DHS financial statements, are complete, accurate, 
appropriately valued, belong to Coast Guard, and presented properly in the financial 
statements. 

Cause/Effect: Many of the issues mentioned above stem from the conditions described in Exhibit 
I-A Financial Management and Entity-Level Controls. At the Coast Guard, the accuracy of 
financial information is highly dependent on the knowledge and experience of a limited number 
of key financial personnel rather than on clearly documented procedural manuals and process- 
flow documentation. In addition, the Coast Guard has serious general ledger structural and IT 
system functionality deficiencies that make the financial reporting process more complex and 
difficult. Consequently, the Coast Guard can not be reasonably certain that its financial 
statements are complete or accurate at any time. In its annual Assurance Statement provided to 
the DHS Secretary in September 2007, the Coast Guard was unable to provide reasonable 
assurance that internal controls over financial reporting are operating effectively, and was unable 
to represent to us that any significant balance sheet line items are fairly stated at September 30, 
2007. 

Criteria: FFMIA Section 803(a) requires that Federal financial management systems comply 
with (1) Federal accounting standards, (2) Federal system requirements, and (3) the USSGL at the 
transaction level. FFMIA emphasizes the need for agencies to have systems that can generate 
timely, reliable, and useful information with which to make informed decisions to ensure ongoing 
accountability. 

FMFIA requires that agencies establish internal controls according to standards prescribed by the 
Comptroller General and specified in the GAO Standards. These standards define internal 
control as an integral component of an organization's management that provides reasonable 
assurance that the following objectives are being achieved: effectiveness and efficiency of 
operations, reliability of financial reporting, and compliance with applicable laws and regulations. 
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The GAO Standards require that internal controls be documented in management directives, 
administrative policies or operating manuals; transactions and other significant events be clearly 
documented; and information be recorded and communicated timely with those who need it 
within a timeframe that enables them to carry out their internal control procedures and other 
responsibilities. 

Recommendations: We recommend that the Coast Guard: 

1 . Conduct an assessment of its current financial reporting process, including a review of its 
three general ledger systems, with the goal of establishing a general ledger that is FFMIA 
compliant at the transaction level, e.g., all financial transactions are recorded in the general 
ledger at the detail USSGL level as they occur, all financial statement line items are fully 
reconciled and supported by transactional detail contained in the general and subsidiary 
ledgers, reducing complexity, implementing appropriate internal controls, improving 
financial systems integration and automating manual processes; 

2. Establish new or improve existing policies, procedures, and related internal controls to ensure 
that: 

a) The year-end, close-out process; reconciliations; and financial data and account analysis 
procedures are supported by documentation, including evidence of effective management 
review and approval, and beginning balances in the following year are determined to be 
reliable and auditable; 

b) On-top adjustments to account balances and abnormal balances and account relationship 
discrepancies, e.g., budgetary to proprietary reconciliations are identified, reviewed and 
documented; 

c) Account reconciliations, for each of the three general ledgers and the monthly TIER 
submission, are performed timely and completely each month, and differences are 
researched and resolved before the next month's reporting cycle. Reconciliations should 
include all funds maintained by the Coast Guard, including revolving, special, and trust 
funds; 

d) The Coast Guard identifies all accounts receivables and then implements comprehensive 
Coast Guard-wide policies and procedures, including internal controls, at a sufficient 
level of detail to determine that the accounts receivable process is effective to support 
management assertions, in compliance with generally accepted accounting principles, for 
the accounts receivable balance reported on the Coast Guard balance sheet; and 

e) The Coast Guard develops and implements effective policies, procedures and internal 
controls to compile, support, review, and report financial statement disclosures submitted 
for incorporation in the DHS financial statements, to include the effective completion the 
GAO Disclosure Checklist and valid support for the preparation of statement of net cost 
disclosure; 

3. Investigate potential financial system problems such as potential posting logic errors and 
automated changes to financial data through scripts (system modifications); and 

4. Establish a formal documented review and approval process over reconciliation activities 
performed by Coast Guard to ensure that all intragovernmental activity and balances are 
identified and differences are being resolved in a timely manner in coordination with the 
OFM (see Exhibit II-B, Financial Reporting). Procedures should also include obtaining 
positive confirmation of balances with DHS trading partners and make appropriate system 
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changes to include updating and validating the information in the vendor tables for trading 
partner data, and correct known errors. 

I-C Financial Systems Security 

Background: The Coast Guard maintains three general ledger systems that support its financial 
statements and other financial data provided to DHS OFM for consolidation, which are CAS, 
ALMIS, and NESSS - described in Exhibit I-B, Financial Reporting. Our audit included a review 
of the Coast Guard's IT general control (ITGC), and specifically in six key control areas: entity- 
wide security program planning and management, access control, application software 
development and change control, system software, segregation of duties, and service continuity. 
During FY 2007, the Coast Guard took actions to improve aspects of its ITGC to address our 
prior year findings; however, the Coast Guard did not make all of the necessary improvements 
that they had planned to make during the year. The Coast Guard also serves as Transportation 
Security Administration's (TSA)'s accounting service provider; therefore, some financial 
accounting system and process weaknesses at the Coast Guard may affect the TSA's accounting 
records, as well. 

Conditions: During our 2007 ITGC testing, we identified 42 findings, of which 36 are repeat 
findings and 6 are new findings. The ITGC and other financial system control weaknesses were 
identified at Coast Guard Headquarters and its components. We noted control deficiencies in all 
six general control areas that when combined, present more than a remote possibility of 
materially impacting financial data integrity. The significant deficiencies identified included: 1) 
excessive access to key Coast Guard financial applications, 2) application change control 
processes that are not adequately designed nor operating effectively, 3) entity-wide security 
program issues involving personnel background checks, 4) system software weaknesses involving 
patch management and configuration management, 5) segregation of duties involving lack of 
policies and procedures and excessive privilege access issues, and 6) service continuity issues 
involving the lack of testing of disaster recovery testing. Significant deficiency Nos. 1 and 2, 
above, are considered to be material weaknesses impacting the DHS consolidated financial 
statements. In addition, the significant deficiencies in application change control processes are 
among the principle causes of Coast Guard's inability to support their financial statement 
balances. See Exhibit I-B, Financial Reporting, for a discussion of the related conditions causing 
significant noncompliance with the requirements of FFMIA. Our ITGC findings are described in 
greater detail in a separate Limited Official Use (LOU) letter provided to the Coast Guard and 
DHS management. 

Cause/Effect: The Coast Guard has made some progress correcting certain ITGC weaknesses 
identified in previous years. However, the Coast Guard was not able to effectively prioritize and 
implement CAPs to remediate the root cause of the ITGC weaknesses in 2007. Consequently, the 
corrective actions taken more often address the symptom of the problem and not the root cause. 
For example, workarounds are sometimes implemented so that the system can continue 
functioning, while more permanent solutions are developed. 

Many of these weaknesses were inherited from system development activities that did not 
incorporate strong security controls during the initial implementation of the system more than 
five years ago, and will take several years to fully address. These weaknesses exist both in the 
documentation of processes and the implementation of adequate security controls over processes 
and within financial systems. Specifically, policies and procedures supporting the operation of 
various processes within control areas such as change control and access controls were developed 
without taking into account required security practices. Consequently, as policies and procedures 
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are updated, many Coast Guard components are challenged to move away from previous 
methodologies and fully implement and enforce these new controls in unison with other 
components. 

The effect of these ITGC weaknesses limits Coast Guard's ability to ensure that critical financial 
data is reliable and is maintained in a manner to ensure confidentiality, integrity, and availability. 
In addition, as a result of the presence of IT weaknesses, there is added dependency on the other 
mitigating manual controls to be operating effectively at all times. Because mitigating controls 
often require more human involvement, there is an increased risk of human error that could 
materially affect the financial statements. 

Criteria: The Federal Information Security Management Act (FISMA) passed as part of the 
Electronic Government Act of 2002, mandates that Federal entities maintain IT security programs 
in accordance with National Institute of Standards and Technology (NIST) guidance. 

OMB Circular No. A- 130, Management of Federal Information Resources, describe specific 
essential criteria for maintaining effective general IT controls. 

FFMIA sets forth legislation prescribing policies and standards for executive departments and 
agencies to follow in developing, operating, evaluating, and reporting on financial management 
systems. The purpose of FFMIA is 1) to provide for consistency of accounting by an agency 
from one fiscal year to the next, and uniform accounting standards throughout the Federal 
Government, 2) require Federal financial management systems to support fuM disclosure of 
Federal financial data, including the full costs of Federal programs and activities, 3) increase the 
accountability and credibility of federal financial management, 4) improve performance, 
productivity and efficiency of Federal Government financial management, and 5) establish 
financial management systems to support controlling the cost of Federal Government. 

OMB Circular No. A-123 states, "Agency managers should continuously monitor and improve 
the effectiveness of internal control associated with their programs." This continuous monitoring, 
and other periodic evaluations, should provide the basis for the agency head's annual assessment 
of and report on internal control, as required by FMFIA. This Circular indicates that "control 
weaknesses at a service organization could have a material impact on the controls of the customer 
organization. Therefore, management of cross-servicing agencies will need to provide an annual 
assurance statement to its customer agencies in advance to allow its customer agencies to rely 
upon that assurance statement. Management of cross-servicing agencies shall test the controls 
over the activities for which it performs for others on a yearly basis. These controls shall be 
highlighted in management's annual assurance statement that is provided to its customers (e.g., 
TSA). Cross-servicing and customer agencies will need to coordinate the timing of the assurance 
statements." 

DHS' Sensitive Systems Policy, 4300A, documents policies and procedures adopted by DHS 
intended to improve the security and operation of all DHS IT systems including the Coast Guard 
IT systems. 

The GAO's Federal Information System Controls Audit Manual (FISCAM) provides a 
framework and recommended audit procedures that are used to conduct the IT general control test 
work. 

Recommendations: We recommend that the DHS Office of Chief Information Officer in 
coordination with the Office of the Chief Financial Officer (OCFO) make the following 
improvements to the Coast Guard's financial management systems: 
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1 . Implement the recommendations in our LOU letter provided to the Coast Guard and DHS 
management, to effectively address the deficiencies identified including: 1) access to key 
Coast Guard financial applications, 2) application change control processes, 3) entity-wide 
security program issues, 4) system software weaknesses involving patch management and 
configuration management, 5) segregation of duties involving lack of policies and procedures 
and excessive privilege access issues, and 6) service continuity issues involving the lack of 
testing of disaster recovery; 

2. Design and implement plan of action and milestones that address the root cause of the 
weakness, to migrate away from excessive workarounds and reliance on manual mitigating 
controls; and 

3 . Develop and implement policies and procedures that appropriately consider required security 
practices when supporting the operation of various processes within control areas such as 
change control and access controls. 

I-D Fund Balance with Treasury 

Background: In fiscal year 2006, we reported the existence of a material weakness in Fund 
Balance with Treasury (FBwT) at the Coast Guard. The Coast Guard has not yet developed or 
implemented comprehensive FBwT CAPs, and consequently, we are repeating and expanding the 
conditions cited in last year's report. FBwT at the Coast Guard totaled approximately $5 billion, 
or approximately 10 percent of total DHS FBwT, at September 30, 2007. The majority of these 
funds represented appropriated amounts that were obligated, but not yet disbursed, at September 
30, 2007. 

Conditions: The Coast Guard: 

• Did not maintain adequate supporting documentation that validated the accuracy of all of 
its FBwT reconciliations and the clearing of suspense items, to include posting 
unsupported adjustments to the Coast Guard reported general ledger activity submitted to 
the Treasury, and to agree Coast Guard balances to Treasury records without supporting 
documentation. 

• Did not have an effective process for accounting for suspense account transactions related 
to FBwT. The Coast Guard lacks documented and effective policies and procedures, to 
include internal controls, to support the completeness, existence, and accuracy of recorded 
and subsequently posted suspense account transactions. The Coast Guard continues to be 
unable to produce complete and accurate populations of suspense transactions. 

• Was unable to provide validated military and civilian payroll data to support payroll 
transactions processed through the Coast Guard's FBwT, USSGL account No. 1010. The 
Coast Guard did not properly report and reconcile these transactions or maintain 
appropriate supporting documentation. 

Cause/Effect: The Coast Guard has not designed and implemented accounting processes, 
including a financial system that complies with federal financial system requirements, as defined 
in OMB Circular No. A- 127 and the requirements of the Joint Financial Management 
Improvement Program (JFMIP), now administered by the Financial Systems Integration Office 
(FSIO), to fully support the fiscal year 2007 FBwT activity and balance at September 30, 2007. 
Failure to implement timely and effective reconciliation processes could increase the risk of 
fraud, abuse, undetected violations of appropriation laws, including instances of undiscovered 
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Anti-deficiency Act violations, and mismanagement of funds, which could lead to inaccurate 
financial reporting and affects DHS' ability to effectively monitor its budget status. 

Criteria: The Treasury Financial Manual (TFM) states, "Federal agencies must reconcile their 
USSGL account No.1010, and any related subaccounts, on a monthly basis (at minimum). 
Federal agencies must research and resolve differences between the balances reported on their 
general ledger FBwT accounts and balances reported in the Government-wide Accounting system 
(GWA). In addition, Section 803(a) of FFMIA requires that Federal financial management 
systems comply with 1) Federal accounting standards, 2) Federal system requirements, and 3) the 
USSGL at the transaction level. FFMIA emphasizes the need for agencies to have systems that 
can generate timely, reliable, and useful information with which to make informed decisions to 
ensure ongoing accountability. 

According to OMB Circular No. A- 123, transactions should be promptly recorded, and properly 
classified and accounted for, in order to prepare timely and reliable financial and other reports. 
Documentation for transactions, management controls, and other significant events must be clear 
and readily available for examination. 

Recommendations: We recommend that the Coast Guard: 

1 . Establish policies, procedures, and internal controls, including effective reconciliations and 
the use of a financial system that complies with federal financial system requirements, as 
defined in OMB Circular A-127, and the requirements of the JFMIP, to fully support the 
fiscal year 2007 FBwT activity and balance at September 30, 2007. These policies and 
procedures should allow the Coast Guard to: 

a) Perform complete and timely FBwT reconciliations using the tools provided by Treasury 
GWA; 

b) Better manage its suspense accounts to include researching and clearing items carried in 
suspense clearing accounts in a timely manner during the year, and maintaining 
documentation of periodic reconciliations of FBwT; and 

c) Ensure payroll data, supporting payroll transactions processed through FBwT (account 
1010), is properly maintained and available for audit testwork, as needed. 

I-E Capital Assets and Supplies 

Background: Property, plant, and equipment (PP&E) represents approximately 15.5 percent of 
total DHS assets, and the Coast Guard maintains more than 60 percent of all DHS PP&E, 
including a large fleet of boats and vessels. Many of the Coast Guard's assets are constructed 
over a multi-year period, have long useful lives, and undergo extensive routine servicing that may 
increase their value or extend their useful lives. Comprehensive policies and procedures are 
necessary to accurately and timely account for and report these assets. We reported in prior years 
that the Coast Guard has been unable to provide auditable documentation for certain categories of 
PP&E, due to a number of policy, control, and process deficiencies that will require several years 
to correct, and consequently, most of the conditions cited below have been repeated from our 
2006 report, and have existed since the Department's inception in 2003. 

Operating Materials and Supplies (OM&S) are maintained by the Coast Guard in significant 
quantities, and consist of tangible personal property to be consumed in normal operations to 
service marine equipment, aircraft, and other operating equipment. The majority of the Coast 
Guard's OM&S is physically located at either two Inventory Control Points (ICPs) or in the field. 
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The Coast Guard's policy requires regularly scheduled physical counts of OM&S, which are 
important to the proper valuation of OM&S and its safekeeping. The conditions cited below for 
OM&S are based on findings reported in fiscal 2006, updated as necessary to reflect the 
conditions noted in fiscal year 2007. 

Conditions: Coast Guard has not: 
Regarding PP&E: 

• Consistently applied policies and procedures to ensure appropriate documentation 
supporting PP&E acquisitions, and their existence, is maintained to support capitalized 
PP&E. In cases where original acquisition documentation has not been maintained, the 
Coast Guard has not developed and documented methodologies and assumptions to 
support the value of PP&E. 

• Implemented appropriate controls and related processes to accurately, consistently, and 
timely record additions to PP&E and construction in process (CIP), transfers from other 
agencies, disposals in its fixed asset system, and valuation and classification of repairable 
PP&E. 

• Implemented accurate and complete asset identification, system mapping, and tagging 
processes that include sufficient detail, e.g., serial number, to clearly differentiate and 
accurately track physical assets to those recorded in the fixed asset system. 

• Properly accounted for some improvements and impairments to buildings and structures, 
capital leases, and selected useful lives for depreciation purposes, consistent with GAAP. 

Regarding OM&S: 

• Implemented policies, procedures, and internal controls to support the completeness, 
accuracy, existence, valuation, ownership, and presentation assertions related to the fiscal 
year 2007 OM&S and related account balances. 

• Fully designed and implemented policies, procedures, and internal controls over physical 
counts of OM&S to remediate conditions identified in previous years. 

• Properly identified (bar-coded or tagged) recorded OM&S. 

• Established processes and controls to fully support the calculated value of certain types of 
OM&S to approximate historical cost. 

Cause/Effect: PP&E policies and procedures are not appropriately designed, consistently 
followed, or do not include sufficient controls to ensure compliance with policy or to ensure 
complete supporting documentation is maintained and available for audit testwork. The fixed 
asset module of the Coast Guard's CAS is not updated for effective tracking and reporting of 
PP&E. The effect of these conditions is that the Coast Guard is unable to accurately account for 
its PP&E, and provide necessary information to DHS OFM for consolidated financial statement 
purposes. 

Coast Guard management deferred correction of most OM&S weaknesses reported in previous 
years, and acknowledged that the conditions we reported in prior years remained throughout 
fiscal year 2007. Lack of comprehensive and effective policies and controls over the 
performance of physical counts, and appropriate support for valuation, may result in errors in the 
physical inventory process or inventory discrepancies that could result in financial statement 
misstatements. 
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Criteria: Statement of Federal Financial Accounting Standard (SFFAS) No. 6, Accounting for 
Property, Plant, and Equipment, requires that: 

- PP&E is recorded at historical cost with an adjustment recorded for depreciation. In the 
absence of such information, estimates may be used based on a comparison of similar 
assets with known values or inflation-adjusted current costs; and 

- PP&E accounts should be adjusted for disposals, retirements, and removal of PP&E, 
including associated depreciation. 

According to OMB Circular No. A-123, transactions should be promptly recorded, and properly 
classified and accounted for, in order to prepare timely and reliable financial and other reports. 
Documentation for transactions, management controls, and other significant events must be clear 
and readily available for examination. 

FFMIA Section 803(a) requires each agency to implement and maintain a system that complies 
substantially with Federal financial management system requirements as stipulated in OMB 
Circular No. A-127. That Circular requires an agency's system design "to have certain 
characteristics that include consistent internal controls over data entry, transaction processing, 
and reporting throughout the system to ensure the validity of the information." 

According to GAO Standards, assets at risk of loss or unauthorized use should be periodically 
counted and compared to control records. Policies and procedures should be in place for this 
process. The FSIO publication, Inventory, Supplies, and Material System Requirements, states 
that "the general requirements for control of inventory, supplies and materials consist of the 
processes of receipt and inspection. An agency's inventory, supplies and materials system must 
identify the intended location* of the item and track its movement from the point of initial receipt 
to its final destination." SFFAS No. 3, Accounting for Inventory and Related Property, states 
OM&S shall be valued on the basis of historical cost. 

Recommendations: We recommend that the Coast Guard: 
Regarding PP&E: 

1 . Improve controls and related processes and procedures to ensure that documentation 
supporting PP&E acquisitions, to include the CIP process and existence, including additions, 
transfers, and disposals, is maintained to support capitalized PP&E; 

2. Implement processes and controls to record PP&E transactions accurately, consistently, and 
timely in the fixed asset system; record an identifying number in the fixed asset system at the 
time of asset purchase to facilitate identification and tracking; and ensure that the status of 
assets is accurately maintained in the system; 

3. Revise procedures for performing physical inventories of repairable items, to include 
procedures for resolving differences, and reporting results, to ensure that repairable PP&E is 
accurately and completely classified and recorded. Support the pricing methodology used to 
value repairable PP&E to ensure that balances, as presented in the financial statements, 
approximate amortized historical cost; and 

4. Review policies and procedures to account for improvements and impairments to buildings 
and structures, capital leases, and identify proper useful lives for depreciation purposes in 
accordance with GAAP. 
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Regarding OM&S: 

5. Update OM&S physical count policies, procedures, and controls, and provide training to 
personnel responsible for conducting physical inventories, and include key elements of an 
effective physical inventory in the policies; 

6. Consider adopting a system of bar-coding or tagging OM&S as a method of tracking usage 
and maintaining a perpetual inventory of OM&S on hand; and 

7. Establish processes and controls to support the calculated value of OM&S to ensure 
accounting is consistent with GAAP. 

I-F Actuarial and Other Liabilities 

Background: The Coast Guard maintains pension, medical, and postemployment travel benefit 
programs that require actuarial computations to record related liabilities for financial reporting 
purposes. The Military Retirement System (MRS) is a defined benefit plan that covers both 
retirement pay and health care benefits for all active duty and reserve military members of the 
Coast Guard. The medical plan covers active duty, reservists, retirees/survivors and their 
dependents that are provided care at Department of Defense (DoD) medical facilities. The 
postemployment travel benefit program pays the cost of transportation for uniformed service 
members upon separation from the Coast Guard. Annually, participant and cost data is extracted 
by the Coast Guard from its records and provided to an actuarial firm as input for the liability 
calculations. The accuracy of the actuarial liability as reported in the financial statements is 
dependent on the accuracy and completeness of the underlying participant and cost data provided 
to the actuary. A combined unfunded accrued liability of approximately $30 billion for the plans 
is reported in the DHS consolidated balance sheet at September 30, 2007. 

The Coast Guard estimates accounts payable as a percentage of undelivered orders (UDOs) based 
on historical trends. As described in Exhibit I-G, Budgetary Accounting, reliable accounting 
processes surrounding the recording of obligations and disbursements, and tracking of UDOs, are 
key to the accurate reporting of accounts payable in the Coast Guard's financial statements. 

The Coast Guard's environmental liabilities consist of two main types: shore facilities and 
vessels. Shore facilities include any facilities or property other than ships, e.g., buildings, fuel 
tanks, lighthouses, small arms firing ranges (SAFRs), etc. 

The Coast Guard estimates its legal liabilities to include Oil Spill Liability Trust Fund claims, that 
are incorporated, and recorded, as part of the DHS legal liability on DHS financial statements. 

Conditions: We noted the following internal control weaknesses related to actuarial and other 
liabilities. The Coast Guard does not: 

• Have effective policies, procedures, and controls to ensure the completeness and 
accuracy of participant data, medical cost data, and trend and experience data provided 
to, and used by, the actuary for the calculation of the MRS pension, medical, and 
postemployment benefit liabilities. Reconciliations between subsidiary and general ledger 
amounts for medical expenditures are not effective. 

• Have effective policies, procedures and internal controls over the Coast Guard's process 
for reconciling military payroll recorded in the CAS general ledger to detail payroll 
records. Military personnel data changes, including changes in leave balances and payroll 
corrections, are not processed in the appropriate payroll and/or reporting periods, and 



1.12 



Independent Auditors' Report 

Exhibit I - Material Weaknesses in Internal Control - U.S. Coast Guard 



consequently impact the completeness and accuracy of leave and payroll accruals as well 
as data used for actuarial projections. 

• Use a reliable methodology to estimate accounts payable. The method used was not 
supported as to the validity of data, assumptions, and criteria used to develop and 
subsequently validate the reliability of the estimate for financial reporting. 

• Support the completeness, existence, and accuracy assertions of the data utilized in 
developing the estimate for the FY 2007 recorded environmental liability account 
balance. The Coast Guard has not fully developed, documented, and implemented the 
policies and procedures in developing, preparing, and recording the environmental 
liability estimates related to vessels, shore facilities projects, lighthouses, and SAFRs. 

• Use a reliable methodology to estimate their legal liabilities, to include Oil Spill Liability 
Trust Fund claims that are incorporated and recorded as part of the DHS contingent legal 
liability on DHS consolidated financial statements. The Coast Guard did implement 
corrective actions to support the completeness of their oil spill legal claims. However, 
Coast Guard policies, procedures, and internal controls were not fully effective to 
accurately estimate liabilities for oil spill claims. 

Cause/Effect: Much of the data required by the actuary comes from personnel and payroll 
systems that are outside of the Coast Guard's accounting organization and are instead managed 
by Coast Guard's Personnel Service Center (PSC). The PSC has not substantiated the 
completeness and accuracy of the basic pay information provided to the actuary. Consequently, 
the Coast Guard management is unable to provide assurance on the completeness and accuracy of 
actuarially determined liabilities as stated in the DHS consolidated balance sheet at September 30, 
2007. In addition, the Coast Guard does not have sufficient controls to prevent overpayments for 
medical services, and inaccurate medical costs submitted to the Coast Guard actuary could result 
in a misstatement of the actuarial medical liability and related expenses. Also, the conditions 
noted exist, in part, because of ineffective entity-level controls, in particular, with regard to 
financial management oversight - see Exhibit I- A, Financial Management and Entity Level 
Controls. 

The Coast Guard has not yet developed comprehensive policies and procedures or corrective 
action plans to address the conditions above, and consequently, management is unable to assert to 
the accuracy and completeness of accounts payable, and payroll accruals recorded as of 
September 30, 2007. 

The Coast Guard has not developed consistent, written, agency-wide policies to define the 
technical approach, cost estimation methodology, and overall financial management oversight of 
its oil spill claims and environmental remediation projects, resulting in the inability to support the 
completeness of the estimate and possible misstatement of the liability in its financial statements. 

Criteria: According to SFFAS No. 5, Accounting for Liabilities of the Federal Government, 
paragraph 95, the employer should recognize an expense and a liability for other postemployment 
benefits (OPEB) when a future outflow or other sacrifice of resources is probable and measurable 
on the basis of events occurring on or before the reporting date. Further, the long-term OPEB 
liability should be measured at the present value of future payments, which requires the employer 
to estimate the amount and timing of future payments, and to discount the future outflow over the 
period for which the payments are to be made. 

GAO Standards hold that transactions should be properly authorized, documented, and recorded 
accurately and timely. OMB Circular No. A- 123 states that "transactions should be promptly 
recorded, properly classified, and accounted for in order to prepare timely accounts and reliable 
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financial and other reports." SFFAS No. 1 , Accounting for Selected Assets and Liabilities, states, 
"When an entity accepts title to goods, whether the goods are delivered or in transit, the entity 
should recognize a liability for the unpaid amount of the goods. If invoices for those goods are 
not available when financial statements are prepared, the amounts owed should be estimated." 

Statement on Auditing Standards (SAS) No. 57, Auditing Accounting Estimates, states "An 
entity's internal control may reduce the likelihood of material misstatements of accounting 
estimates. Specific relevant aspects of internal control include the following: Accumulation of 
relevant, sufficient, and reliable data on which to base an accounting estimate, and comparison of 
prior accounting estimates with subsequent results to assess the reliability of the process used to 
develop estimates." 

Federal Accounting Standards Advisory Board (FASAB) Technical Release No. 2, Determining 
Probable and Reasonably Estimable for Environmental Liabilities in the Federal Government, 
states that an agency is required to recognize a liability for environmental cleanup costs as a result 
of past transactions or events when a future outflow or other sacrifice of resources is probable and 
reasonably estimable. Probable is related to whether a future outflow will be required. 
Reasonably estimable relates to the ability to reliably quantify in monetary terms the outflow of 
resources that will be required. 

Recommendations: We recommend that the Coast Guard: 
Regarding actuarial liabilities: 

1 . Establish and document policies, procedures, and effective controls to ensure the 
completeness and accuracy of the actuarial pension, medical, and postemployment travel 
benefit liabilities; 

2. Establish and document policies, procedures, and effective controls to ensure the 
completeness and accuracy of participant data, medical cost data, and trend and experience 
data provided to, and used by, the actuary for the calculation of the MRS pension, medical, 
and postemployment travel benefit liabilities; and 

3. Perform a periodic reconciliation between the medical expenditures recorded in the 
subsidiary ledger and those recorded in the CAS, and address differences before data is 
provided to the actuary. This reconciliation should be performed for all significant sources of 
medical actuarial data, including TriCare, and DoD Military Treatment Facilities (MTFs). In 
addition, this reconciliation should be reviewed by someone other than the preparer to ensure 
accuracy. 

Regarding accounts payable and payroll: 

4. Analyze and make appropriate improvements to the methodology used to estimate accounts 
payable and support all assumptions and criteria with appropriate documentation to develop 
and subsequently validate the estimate for financial reporting; and 

5. Implement corrective action, including appropriately designed and implemented internal 
controls, to support the completeness, existence, and accuracy of changes in member 
personnel data records and military payroll transactions, and to include recorded accrued 
military leave and payroll liabilities. 



1.14 



Independent Auditors' Report 

Exhibit I - Material Weaknesses in Internal Control - U.S. Coast Guard 



Regarding environmental liabilities: 

6. Develop consistent written agency-wide policies, procedures, processes, and controls to 
ensure identification of and recording of all environmental liabilities, define the technical 
approach, cost estimation methodology, and overall financial management oversight of its 
environmental remediation projects. The policies should include: 

a) Procedures to ensure the proper calculation and review of cost estimates for consistency 
and accuracy in financial reporting, including the use of tested modeling techniques, use 
of verified cost parameters, and assumptions; 

b) Periodically validate estimates against historical costs; and 

c) Ensure that detailed cost data is maintained and reconciled to the general ledger. 
Regarding legal liabilities: 

7. Develop, document, and implement a reliable methodology as well as formal policies and 
procedures, to include internal controls, to verify and support the accuracy of the legal 
liability estimate and related disclosures. 

I-G Budgetary Accounting 

Background: Budgetary accounts are a category of general ledger accounts where transactions 
related to the receipt, obligation, and disbursement of appropriations and other authorities to 
obligate and spend agency resources are recorded. Each Treasury Account Fund Symbol (TAFS), 
with separate budgetary accounts, must be maintained in accordance with OMB and Treasury 
guidance. The Coast Guard has over 80 TAFS covering a broad spectrum of budget authority, 
including annual, multiyear, and no-year appropriations; and several revolving, special, and trust 
funds. In addition, the Coast Guard estimates accounts payable at year end as a percentage of 
UDOs based on historical trends. Reliable accounting processes surrounding obligations, UDOs 
and disbursements are key to the accurate reporting of accounts payable in the DHS consolidated 
financial statements. 

Conditions: We noted the following internal control weaknesses related to budgetary accounting, 
many of which were repeated from our fiscal year 2006 report. 

• The policies, procedures and internal controls over the Coast Guard's process for 
validation and verification of UDO balances are not effective to ensure that recorded 
obligations and UDO balances were complete, valid, accurate, and that proper approvals 
and supporting documentation is maintained. 

• Policies were not fully implemented to ensure that contract awards, particularly related to 
the Deepwater Acquisition Program, were recorded in the general ledger in a timely 
manner, and as a result, obligations might have been temporarily understated. 

• Procedures and controls are not implemented to prevent incurring a 
commitment/obligation in excess of established targets so that funds are not obligated in 
excess of the apportioned and allotted amounts. In addition, the Coast Guard did not 
effectively monitor unobligated commitment activity in its procurement system. As of 
April 2007, there were over 16,000 unobligated commitment transactions totaling 
approximately $516 million. 

• The Coast Guard's procedures, processes, and internal controls in place to verify the 
completeness and accuracy of the year-end obligation pipeline adjustment to record all 
executed obligations were not properly designed and implemented. These deficiencies 
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affected the completeness, existence, and accuracy of the year-end "pipeline" adjustment 
that was made to record obligations executed before year end. 

• Automated system controls are not effectively used to prevent the processing of 

procurement transactions by contracting officer's with expired warrant authority, and a 
manual compensating control was not effective since listings of warranted contracting 
officers were not complete. 

Cause/Effect: Several of the Coast Guard's budgetary control weaknesses can be corrected by 
modifications or improvements to the financial accounting system, process improvements, and 
strengthened policies and internal controls. Weak controls in budgetary accounting, and 
associated contracting practices increase the risk that the Coast Guard could violate the Anti- 
deficiency Act and overspend its budget authority. The financial statements are also at greater 
risk of misstatement. The untimely release of commitments may prevent funds from being used 
timely for other purposes. 

Criteria: According to the JFMIP, Core Financial System Requirements, an agency's core 
financial management system must ensure that an agency does not obligate or disburse funds in 
excess of those appropriated and/or authorized and specific system edits and user notifications 
related to funds control must be in place. The Federal Acquisition Regulation (FAR) Section 
1.16 addresses the authorities and responsibilities granted to contracting officers. Treasury's 
USSGL guidance specifies the accounting entries related to budgetary transactions. 

FFMIA Section 803(a) requires that each Agency to implement and maintain a system that 
complies substantially with Federal financial management system requirements as stipulated by 
OMB Circular No. A-127. 

Recommendations: We recommend that the Coast Guard: 

1 . Improve policies, procedures, and the design and effectiveness of controls related to 
processing obligation transactions, including periodic review and validation of UDOs. 
Emphasize to all fund managers the need to perform effective reviews of open obligations, 
obtain proper approvals, and retain supporting documentation; 

2. Fully implement policies and the design and effectiveness of controls to ensure that contract 
awards are recorded in the general ledger in a timely manner; 

3. Improve segregation of duties for transactions related to the creation and approval of 
purchase requisitions, certification of funds availability, and the recording of the obligations, 
and record contracts timely; 

4. Revise controls and related policies and procedures to periodically review commitments; 

5. Improve procedures, processes, and internal controls to verify the completeness and accuracy 
of the year-end obligation pipeline adjustment to record all executed obligations for financial 
reporting; and 

6. Establish automated system controls to prevent incurring a commitment/obligation in excess 
of established targets so that funds are not obligated in excess of the apportioned and allotted 
amounts and preclude the processing of procurement transactions if the contracting officer's 
warrant authority had expired. 
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Background: The Federal Emergency Management Agency 
(FEMA)'s accounting and financial reporting requirements are 
very diverse supporting multifaceted operations, such as 
temporary assistance funds, disaster relief loans, national flood 
insurance programs, stockpiles of essential supplies, mission 
assignments to other federal agencies for restoration and 
reconstruction, and grants to state and local governments. These 
programs are sometimes subject to complicated accounting rules, 
as defined by the Federal Accounting Standards Advisory Board 
(FASAB), and require specialized technical knowledge to 
interpret and apply. FEMA has been subject to significant 

reorganization efforts during FY 2007 and FY 2006, while also continuing its disaster relief 
efforts resulting from the 2005 hurricanes affecting the Southern U.S. In addition, FEMA's 
accounting personnel and systems need to be ready to mobilize and support disaster operations 
with little advance notice, while also maintaining sound financial management standards. These 
circumstances place a high demand on financial management and emphasize the need for strong 
entity level controls throughout FEMA. Some of the conditions cited below contributed to 
qualifications of our Independent Auditors' Report in previous years. We believe these 
conditions, which include financial reporting control weaknesses, considered in aggregate, now 
represent a material weakness in financial management and entity level controls at FEMA. 



Until 2007, the DHS OFM, within the OCFO at DHS Headquarters has not been adequately 
staffed with a sufficient number of management personnel who had the requisite financial 
accounting background, knowledge, and expertise, to both (i) set up, and (ii) effectively manage 
the consolidated financial reporting and internal control infrastructure of a large and complex 
Executive Branch agency. However, late in FY 2006 and throughout 2007, the OCFO executed a 
staffing plan to fill gaps in OFM skill sets. With the addition of new financial management and 
staff, restructuring of the OFM, development and issuance of new policies and procedures, and 
improved internal controls, with a focus on entity level controls, we noted that OFM has fully 
corrected its material weakness in Financial Management and Entity Level Controls reported in 
our FY 2006 report. 

In 2006, we reported that ICE corrected its entity level control weaknesses in financial 
management and oversight. The corrective actions taken in 2006 continued to be effective in FY 
2007. 



Conditions: We noted the following internal control weaknesses related to financial management 
and entity level controls at FEMA, when combined with the conditions existing at the Coast 
Guard (see Exhibit I-A, Financial Management and Entity Level Controls), rise to a material 
weakness at the DHS consolidated financial statement level. 

FEMA: 

• Has not established a financial management organizational structure, with clear oversight 
and supervisory review functions that supports the development and implementation of 
effective policies, procedures, and internal controls over financial reporting, to ensure that 
accounting principles are correctly applied and accurate financial data is submitted to 
OFM for consolidation in a timely manner. For example, we noted: 
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The FEMA CFO does not have clearly defined and complete authority and 
responsibility for all financial accounting policy, processes, and control functions 
throughout the agency; 

Financial management oversight functions have not been clearly defined, complete 
with an organizational chart, job descriptions, roles and responsibilities, training 
requirements, and skill sets required; 

A lack of segregation of duties in financial reporting roles; and 

A lack of supervisory review in financial functions, especially over complex, 
nonroutine accounting estimates and adjustments, such as credit reform subsidies. 

• Does not have a sufficient number of experienced financial managers and staff to 
expeditiously address nonroutine accounting issues. A lack of skilled accounting 
resources has contributed to FEMA's inability to perform important accounting functions 
timely. For example, we noted that FEMA did not: 

Fully integrate certain Grants and Training (G&T) accounting processes; 

Perform necessary procedures to completely and accurately present stockpile 
inventory balances in the consolidated financial statements; 

Reevaluate the reasonableness of its allowance rates for disaster relief accounts 
receivable; and 

Prepare and record adjustments for its National Flood Insurance Program accurately 
or timely. A material error was identified after submission of FEMA's year-end 
financial information to OFM. 

• Has not completed and implemented a comprehensive CAP to correct internal control 
weaknesses that are contributing to Department-level material weaknesses, as required by 
OMB Circular No. A-50, Audit Follow-up, as revised. 

• Has not documented and/or updated formal policies and procedures (including desk 
manuals) for many of the roles, responsibilities, processes, and functions performed 
within FEMA. For example, in FY 2007, we noted that improvements are needed in the 
formal documentation of policies and procedures related to Anti-deficiency Act 
compliance, preparation and review of the quarterly and annual financial statements; 
identification of and adherence to GAAP and OMB statements and guidance; policies for 
timely de-obligation of outstanding grant and non-grant obligations that should be closed 
related to the former G&T office; policies for monitoring and responding to OMB 
Circular No. A- 133 reports, Office of Inspector General (OIG) reports, and GAO report 
findings and recommendations; and the quarterly process for estimating accruals 
(including accrual validation). 

• Has not completed the placement of sufficient financial and accounting resources in its 
regional offices, which contributes to certain issues in Mission Assignment accounting. 
For example, Mission Assignment obligations are not closed out timely, and in a sample 
of 216 Mission Assignment payments selected for testwork, we noted that approximately 
10% of the payments were not properly reviewed and approved in accordance with 
FEMA policy. 

Cause/Effect: FEMA maintains a relatively small headquarters infrastructure and accounting 
staff, compared to its diverse programmatic and mission focused objectives. In addition, FEMA 
is dependent on timely information from other federal agencies, state governments, and grantees 



II. 2 



Independent Auditors' Report 

Exhibit II - Material Weaknesses - DHS Civilian Components 



to account for some transactions. FEMA's evaluation of internal control over financial reporting 
conducted pursuant to OMB Circular No. 123, Managements Responsibility for Internal Control, 
and representations made to the Secretary pursuant to the DHS Financial Accountability Act, 
stated that FEMA could not provide reasonable assurance that its internal controls over financial 
reporting are operating effectively to achieve desired objectives during FY 2007. 

Criteria. FMFIA requires that agencies establish internal controls according to standards 
prescribed by the Comptroller General and specified in the GAO Standards. The GAO defines 
internal control as an integral component of an organization's management that provides 
reasonable assurance that the following objectives are achieved: effectiveness and efficiency of 
operations, reliability of financial reporting, and compliance with applicable laws and regulations. 
The GAO Standards identify the control environment, as one of the five key elements of control, 
which emphasizes the importance of control conscientiousness in management's operating 
philosophy and commitment to internal control. These standards cover controls such as human 
capital practices, supervisory reviews, and segregation of duties, policies, procedures, and 
monitoring. 

Recommendations. We recommend that FEMA: 

a) Provide its CFO with clear authority to develop and implement accounting and financial 
reporting policies, procedures, and internal controls throughout the agency. Program 
offices should be required to adhere to policies; 

b) Evaluate the existing financial management organizational and internal control structure 
to determine the number of personnel and resources needed, along with the requisite 
skills and abilities necessary, to ensure that all significant transactions and account 
balances are accurately and completely recorded in FEMA's general ledger in a timely 
manner; 

c) Assign accounting functions and responsibilities to staff to ensure proper segregation of 
duties; 

d) Establish clear management oversight responsibilities and processes to effectively review 
adjustments to account balances and complex, nonroutine accounting transactions; 

e) Develop and implement a comprehensive CAPs to correct conditions that contribute to 
the Department-level material weaknesses in internal controls, and prevented FEMA 
management from providing reasonable assurance on the effectiveness of internal 
control; 

f) Fully implement plans to place comptrollers in each regional office; and 

g) Ensure that procedures are in place to maintain all job-related training, and other critical 
personnel actions. 



II-B Financial Reporting (DHS-HQ, FEMA, and TSA) 



Background: DHS-HQ (or DHS Management and Operations) is 
comprised of various programs, reporting entities, and offices 
including, the OCFO. The OCFO is primarily responsible for 
the financial accounting and reporting infrastructure of the 
Department, together with other responsibilities as defined in the 
Chief Financial Officers Act of 1990, as amended by DHS 
Financial Accountability Act of 2004. DHS' OFM is responsible 
for preparing the Annual Financial Report (AFR), including the 
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consolidated financial statements, footnote and supplementary data, from trial balances and other 
financial data submitted by the components to OFM through the TIER system. DHS components 
are responsible for providing OFM complete, accurate, and timely submission of monthly 
financial data and reports. The DHS CFO has authority to establish accounting policy that must 
be followed by components when submitting data used in the DHS consolidated financial 
statements, and has established Standard Operating Procedures (SOP)s, to perform oversight and 
monitoring controls over financial data submitted by the components that are properly designed 
and effective when fully completed. During FY 2007, the OCFO issued a component guide that 
describes component reporting procedures and requirements, as well as other policy memoranda, 
and several additional DHS-wide policies are scheduled for release in 2008. 

FEMA identified a material weakness in internal control over financial reporting in its FY 2007 
assurance statement sent to the Secretary, in accordance with Departmental policies requiring self 
evaluation of internal controls pursuant to FMFIA and OMB Circular No. A- 123. The financial 
reporting internal control weaknesses at FEMA are included in Exhibit II-A, Financial 
Management and Entity Level Controls. 

The TSA began using the Coast Guard's Core Accounting System (CAS) for its primary general 
ledger in FY 2005. The transition to a new accounting system required the development and 
implementation of many new accounting processes and procedures, some of which were needed 
to mitigate material weaknesses in internal controls that existed prior to TSA's migration to CAS 
and that currently exist at the Coast Guard. This process of setting up a financial accounting and 
reporting process interfered with TSA's ability to prepare timely and accurate financial 
statements through 2006, and contributed to a material weakness in internal controls over 
financial reporting. In FY 2007, TSA developed and implemented a CAP to address its financial 
reporting and other accounting internal control weaknesses. TSA has made progress toward 
correction of control weaknesses in financial reporting in FY 2007. 

In 2006, we reported that ICE corrected its internal control weaknesses over financial reporting. 
The corrective actions taken in 2006 continued to be effective in FY 2007. 

Conditions: We noted the following internal control weaknesses related to financial reporting at 
DHS-HQ and TSA: 

1. DHS-HQ: 

• Has made significant progress toward the performance of responsibilities related to the 
consolidated financial reporting at DHS, however additional improvements are needed to 
fully implement a consolidated financial reporting process. This condition is supported, in 
part by these observations: 

As part of the Post-Katrina reorganization, the Office of Health Affairs (OHA) was 
established. The accounting, reporting, and data gathering responsibilities for the new 
entity, including a new reporting requirement affecting the presentation of a transfer 
appropriation account and related activity conducted by another Federal agency and 
reimbursed by OHA, were not clearly established and delegated in time to be effective 
during the year. OHA does not have the administrative infrastructure in place to 
facilitate (i.e., user controls) financial reporting functions provided by its service 
provider (i.e., service provider controls) which changed during FY 2007. 
Consequently, DHS management was unable to support its implementation of a new 
reporting requirement of OMB Bulletin No. A-136, Financial Reporting 
Requirements, affecting the accounting and presentation of budgetary allocation 
transfers that occurred at OHA, and was unable to represent that the balance sheet of 
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OHA is fairly stated in conformity with U.S. generally accepted accounting principles 
at September 30, 2007. Specifically, OHA did not obtain assurance that $1.4 billion 
of fund balance with Treasury and undelivered orders recorded as result of a budget 
allocation to another Federal agency, was properly stated at September 30, 2007. The 
total assets of OHA, as reported in the accompanying DHS balance sheet as of 
September 30, 2007, were $3.2 billion or 4 percent of total DHS consolidated assets. 

DHS was not able to timely or completely reconcile intragovernmental balances with 
other Federal entities, particularly the Department of Defense. Consequently, the 
DHS' Material Difference/Status of Disposition Certification Report, submitted to the 
Treasury for September 30, 2007, showed material differences attributable to 
accounting/reporting errors in excess of $1.5 billion FEMA, Coast Guard, TSA and 
CBP are DHS components that have significant intragovernmental transactions 
throughout the year. These conditions also impacted DHS' ability to accurately report 
transactions with Federal government trading partners in the financial statements as 
required; and 

Instances were noted where DHS components routinely provided OFM incomplete or 
inaccurate information, and/or did not respond timely to OFM' inquires. 
Consequently, OFM was often unable to fully complete its own procedures for timely 
review of component financial data and, therefore, are unable to resolve potential 
errors before the financial statements were prepared. 

• Has not fully implemented recently issued policies, and we noted weaknesses in the 
operating effectiveness of the following established policies: 

Beginning of the year balance reconciliations that ensure opening balances agree to 
the prior year ending balances. These weaknesses resulted in several material errors 
in the financial statements that were not identified by OFM, until questioned during 
our audit; 

Interim financial statement preparation and support. During our review of the June 
30, 2007, draft financial statements, we noted some errors and discrepancies that were 
not corrected prior to submission to the auditor. In some cases, we noted that 
erroneous entries were recorded to correct out-of-balance conditions in data submitted 
by components, without support or follow-up, and resolution with the component; and 

Computation of abnormal or unusual account balances, including proprietary to 
budgetary account relationship analysis performed at the consolidated level. 
Currently, there is still a reliance on the external auditor to identify potential errors 
through proprietary to budgetary reconciliations, and refer the differences to 
components and OFM for investigation and resolution. Although upgrades to the 
existing analytical tools have been developed by OFM, they are not yet being fully 
utilized, with full implementation scheduled for FY 2008. 

• Did not always perform key supervisory and monitoring control procedures over work 
prepared by accounting staff during the year. In some cases, we noted that supervisory 
reviews were performed and documented on incomplete information, without evidence of 
closure on open issues. Some reviews were not effective, e.g., did not identify material 
errors in the financial data. For example, some top-side (manual) adjustments to financial 
statements, and fluctuation and variance analysis, were not always reviewed and approved 
by a supervisor. In some cases, we noted that these manual adjustments also created 
misstatements of the financial statement balances, which were identified during our audit. 
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• Has not established Strategic Goals and the financial information systems or sufficiently 
documented processes to accumulate cost data by DHS strategic goal when the goals are 
established, as required by SFFAS No. 4, Managerial Cost Accounting Concepts and 
Standards, and does not have a current strategic plan, as required by the Government 
Performance and Results Act (GPRA) (see Exhibit III-N). 

2. TSA has improved its financial reporting process in FY 2007. While TSA has made progress 
in addressing the conditions we identified and reported in 2006, its financial reporting CAP 
has not been fully implemented by the end of FY 2007. We noted that TSA: 

• Made a number of restatements to its prior year financial statements, primarily as a result 
prior-year data that was not previously reconciled to its general ledger. 

• Did not have certain policies and procedures in place all fiscal year. 

• Required numerous other on-top adjustments to properly close and report its monthly and 
annual financial results, did not consistently reverse all on-top adjustments that required 
reversal, and did not record all on-top adjustments properly. 

• Required significant additional human resources, to perform its year-end general ledger 
close, prepare financial statements, and respond to audit inquiries in a timely manner. 

Cause/Effect: The OCFO adopted CAPs to address the conditions cited above; however, we 
continue to report that the OCFO has a material weakness in financial reporting, primarily 
because the OCFO has not yet fully implemented policies designed to ensure timely, accurate, 
and complete periodic reporting throughout the year, and developed tools to ensure that 
component agencies routinely respond to inquiries and actively investigate and resolve potential 
accounting and reporting errors in a timely manner. In some cases, newly designed centralized 
policies and procedures, together with effective internal controls over financial reporting, have 
not been fully implemented as of September 30, 2007. In addition, challenges remain in obtaining 
consistently complete and accurate data from DHS components, affecting OFM's ability to 
completely perform its responsibilities in a timely manner. 

Intragovernmental out-of-balances exist in many Federal agencies and DHS is dependent on other 
Federal agencies maintaining accurate account balances in order to fully reconcile its balances. 
No government- wide system currently exists to allow for this reconciliation to be done 
independently by DHS. Although OFM undertook numerous corrective actions in FY 2007, 
including initiating a consolidated confirmation process, holding workshops to instruct 
components how to reconcile balances, assisting components in implementing procedures to 
support balances with external trading partners, and meeting with OMB and other agencies to 
directly reconcile differences, DHS was not able to fully reconcile its balances. OFM's process 
does demonstrate progress; for instance, it recently reconciled a $350 million difference with the 
Department of Defense. 

TSA's CAP is a two-year plan to fully remediate the process and control weaknesses in financial 
reporting, which is not scheduled for completion until FY 2008. TSA invested substantial 
resources to reconcile its beginning balance sheet accounts, as necessary, to obtain an external 
audit of those accounts. FY 2007 was a "catch-up" year, intended to establish more efficient and 
effective accounting and financial reporting processes which will benefit FY 2008 and beyond. 

Criteria: OMB Circular No. A- 136, Financial Reporting Requirements, revised July 24, 2006, 
changed the financial reporting requirements for transferring, or allocating, budget authority from 
one entity to another within or to another Federal department (i.e., parent/child reporting). OMB 
Memorandum M-07-12 clarified the reporting requirements and emphasized that the two Federal 
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departments may need to coordinate to ensure that parent's reporting and auditing requirements 
are met. 

The Treasury Federal Intragovernmental Transactions Accounting Policies Guide, dated August 
18, 2006, and OMB Circular No. A-136, require Federal CFO Act and non-CFO Act entities 
identified in the Treasury Financial Manual (TFM) 2006, Vol. I, Part 2-Chapter 4700, Agency 
Reporting Requirements for the Financial Report of the United States Government, to perform 
quarterly reconciliations of intragovernmental activity/balances. TFM, Section 4706, 
Intragovernmental Requirements, requires reporting agencies to reconcile and confirm 
intragovernmental activity and balances quarterly for specific reciprocal groupings. TFM Bulletin 
2007-03 Intragovernmental Business Rules, also provides guidance to Federal agencies for 
standardizing the processing and recording of intragovernmental activities. 

OMB Circular No. A- 123 defines management's responsibility and provides guidance to Federal 
managers on improving the accountability and effectiveness of Federal programs and operations 
by establishing, assessing, correcting, and reporting on internal control. Within the organizational 
structure, management must clearly: define areas of authority and responsibility; appropriately 
delegate the authority and responsibility throughout the agency; establish a suitable hierarchy for 
reporting; support appropriate human capital policies for hiring, training, evaluating, counseling, 
advancing, compensating, and disciplining personnel; and uphold the need for personnel to 
possess and maintain the proper knowledge and skills to perform their assigned duties as well as 
understand the importance of maintaining effective internal control within the organization. 

FMFIA requires that agencies establish internal controls according to standards prescribed by the 
Comptroller General and specified in the GAO Standards. The GAO defines internal control as 
an integral component of an organization's management that provides reasonable assurance that 
the following objectives are achieved: effectiveness and efficiency of operations, reliability of 
financial reporting, and compliance with applicable laws and regulations. The GAO Standards 
identify the control environment, as one of the five key elements of control, which emphasizes 
the importance of control conscientiousness in management's operating philosophy and 
commitment to internal control. These standards cover controls such as human capital practices, 
supervisory reviews, and segregation of duties, policies, procedures, and monitoring. 

OMB Circular No. A-50 states that corrective action taken by management on audit findings and 
recommendations is essential to improving the effectiveness and efficiency of Government 
operations. Each agency shall establish systems to assure the prompt and proper resolution and 
implementation of audit recommendations. These systems shall provide for a complete record of 
action taken on both monetary and nonmonetary findings and recommendations. 

Recommendations: We recommend that: 

1 . DHS-HQ (with OCFO and OFM): 

a) Develop a strategy to quickly provide full accounting and reporting services to newly 
created reporting entities. Identify a full-service accounting provider for OHA, that will 
address the allocation transfer accounting matters early in FY 2008, and make 
appropriate adjustments to the financial statements to accurately reflect activity and 
balances. Consider creating a permanent group within OCFO that will proactively 
identify and resolve accounting issues before they develop into significant problems, 
similar to the process used to assist US-Visit in FY 2007. When appropriate, and needed, 
this group should be directly involved in development and implementation of long-term 
accounting solutions, either within the Directorate or at an existing component; 

b) Fully implement a comprehensive proprietary to budgetary account analysis that is 
performed each month with TIER submissions, and require component entities to 
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investigate and resolve differences in a timely manner. Monthly certifications received 
from component CFOs should specifically state the completion of this procedures, 
together with recording of correcting entries to the general ledger; 

c) Direct component CFO leadership to improve communication and coordination on 
unique accounting and transactional matters, and to improve the accuracy of routine 
monthly data submissions. Problems with timeliness, completeness and accuracy of 
component data submissions, and/or responsiveness to OFM may need the support of the 
CFO to resolve; 

d) In coordination with other DHS components, further develop policies, procedures and 
controls that will result in the timely reconciliation of intragovernmental activity and 
balances. Differences should be reconciled in a timely manner. This may involve setting 
up special arrangements with some trading partners, such as work OFM has begun with 
the Department of Defense. Procedures should include positive confirmation at least on a 
quarterly basis, all intragovernmental activity and balances with their intragovernmental 
trading partners, including other DHS component entities, as prescribed by Treasury 
guidance; 

e) Continue with implementation of the financial reporting management directives 
scheduled for release in FY 2008. Once implemented, the policies should be tested for 
effectiveness, and when necessary, make improvement to addresses weaknesses 
identified; 

f) Improve supervisory and monitoring control procedures over work prepared by 
accounting staff during the year, to ensure that they will reliably identify errors for 
correction, in a timely manner. Consider additional training for component accountants 
to improve the quality of submitted financial data, and for desk officers to improve the 
effectiveness of their initial reviews; and 

g) OCFO and applicable component entities should develop financial information systems 
and document processes to accumulate and present cost data by DHS strategic goal, as 
required by SFFAS No. 4. 

2. TSA: 

a) Consistently adhere to policies and perform procedures for the preparation and approval 
of on-top adjustments for submission to its accounting services provider; 

b) Develop and implement procedures to properly identify all on-top adjustments that 
require reversal in the subsequent period and to ensure the timely reversal of those 
adjustments; and 

c) Once accounting and reporting processes stabilize in FY 2008, perform a financial 
organization and human resource needs assessment in coordination with its accounting 
services provider to determine the optimum number of accounting personnel and skill 
sets required and the most effective organizational structure to sustain efficient 
accounting operations. TSA's accounting operations should be designed and staffed to 
most efficiently support timely responses to auditor inquiries during the year, without 
also causing significant disruption to on-going accounting operations. 

II-C Financial Systems Security 

Background: Financial systems security is essential to achieving effective, reliable reporting of 
financial and performance data. As a part of the financial statement audit, we perform an 
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evaluation of the general controls over significant DHS financial IT systems. Effective general 
controls are typically defined by the GAO's FISCAM, in six key control areas: entity-wide 
security program planning and management, access control, application software development 
and change control, system software, segregation of duties, and service continuity. In addition to 
general controls, financial systems contain application controls, which are the structure, policies, 
and procedures that apply to use, operability, interface, edit and monitoring controls of an 
application. We tested various application controls of key DHS financial systems as part of our 
IT audit test work. 

The primary IT systems evaluated as a part of our audit are the component general ledger and 
subsidiary/feeder subledger or modules that support the financial statements and specific 
accounting processes such as grants, loans, excise tax receipts, etc. 

During FY 2007, DHS Civilian Components took significant steps to improve their financial 
systems security, particularly the FISCAM general control areas entity-wide security program 
planning and management, and system software, which resulted in the closure of more than 30% 
of our prior year IT control findings. 

Conditions: The FISCAM IT general control areas that continue to present a risk to financial 
systems security and data integrity include: 1) excessive access to key DHS financial 
applications; 2) application change control processes that are inappropriate in other locations not 
fully defined, followed, or effective; and 3) service continuity issues impacting DHS' ability to 
ensure that DHS financial data is available when needed. The conditions supporting our findings 
collectively limit DHS' ability to ensure that critical financial and operational data is kept secure 
and is maintained in a manner to ensure confidentiality, integrity, and availability. Our findings, 
including significant deficiencies that do not rise to the level of being a material weakness, are 
described in greater detail in a separate Limited Official Use letter provided to DHS management. 

Regarding access controls - we noted: 

• Excessive access existed within financial applications at two DHS components. 
Specifically, instances of generic shared accounts exist on the financial applications. 
These accounts have every privilege within the application, including the ability to 
create/delete/modify user accounts. 

• Account management documentation did not exist, and user account lists were not 
periodically reviewed for appropriateness, resulting in inappropriate authorizations and 
excessive user access privileges across two DHS components. 

• Accounts were not configured to disable upon personnel termination across two DHS 
components. 

• Two DHS components had a large number of instances of inadequate or weak passwords 
that existed on key servers and databases that house financial data. 

• Instances where workstations, servers, or network devices were configured without 
necessary security patches, inactivity time-outs, and proactive/appropriate vulnerability 
scanning not occurring. 

• Audit logs were not reviewed at one DHS component, and the most restrictive security 
settings for the audit logging of highly privileged accounts and the protection of data sets 
were not enabled for a financial application at another DHS component. 
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Regarding application software development and change control — we noted: 

• Instances where changes made to the configuration of the system were not always 
documented or performed for test plans, test results, approvals or software modifications 
at two DHS components. Additionally, documented approval did not exist, or was not 
always retained, for emergency enhancements, "bug" fixes, and data fixes, and in some 
cases, audit logs for tracking changes to the data or systems were not activated. 

• One DHS component had implemented a separate and secondary change control process 
outside of and conflicting with the established change control process. In another 
instance, changes were made prior to management approval. Instances where changes 
made to the configuration of the system were not always documented or performed 
through System Change Requests (SCRs), test plans, test results, approvals, or software 
modifications at two DHS components also existed. 

• The contract that a DHS component has with the software vendor does not include 
security configuration requirements that must be adhered to during the configuration 
management process. 

• Instances where policies and procedures regarding change controls were not in place to 
prevent users from having concurrent access to the development, test, and production 
environments of the system, or for restricting access to application system software and 
system support files. 

• Policies and procedures surrounding the system development life cycle (SDLC) process 
have not been documented or adopted a finalized SDLC. 

Regarding service continuity - we noted: 

• The Continuity of Operations Plan (COOP) does not include an accurate listing of critical 
information technology systems, did not have critical data files and an alternate 
processing facility documented, and was not adequately tested for DHS one component. 
An alternate processing site is not operational for DHS one component. 

• Backup tapes are not rotated off site or are not periodically tested. One DHS component 
did not have policy and procedures developed for testing of backups. 

• Rules of Behavior forms are not consistently signed prior to gaining local area network 
(LAN) access for one DHS component. 

Cause/Effect: Many of these weaknesses were inherited from the legacy agencies that came into 
DHS or system development activities that did not incorporate strong security controls from the 
outset and will take several years to fully address. A contributing cause to repeated findings is 
that DHS lacks an effective component-wide prioritization of IT systems issues, including the 
development of a stable centralized IT platform for the Department. Several attempts have been 
made, such as eMerge and eMerge 2, to centralize the financial IT platform; however, each has 
been halted or delayed. In addition, we found that focus is also placed on the tracking of response 
to audit recommendations, instead of on developing the most effective method of addressing the 
actual control weakness; and when weaknesses in controls or processes are identified, the 
corrective actions address the symptom of the problem and do not the correct root cause - 
amounting to a temporary fix. 

The effect of the IT weaknesses identified during our testing impacts the reliability of DHS' 
financial data. Many of these weaknesses, especially those in the area of change controls, may 
result in material errors in DHS' financial data that are not detected, in a timely manner, in the 
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normal course of business. In addition, as a result of the presence of IT weaknesses there is 
added pressure on the other mitigating manual controls to be operating effectively at all times. 
Because mitigating controls often require more human involvement, there is an increased risk of 
human error that could materially affect the financial statements. 

Criteria: The FISMA passed as part of the E-Government Act of 2002, mandates that Federal 
entities maintain IT security programs in accordance with NIST guidance. 

OMB Circular No. A-130 describes specific essential criteria for maintaining effective general IT 
controls. 

FFMIA set forth legislation prescribing policies and standards for executive departments and 
agencies to follow in developing, operating, evaluating, and reporting on financial management 
systems. The purpose of FFMIA is: (1) to provide for consistency of accounting by an agency 
from one fiscal year to the next, and uniform accounting standards throughout the Federal 
Government; (2) require Federal financial management systems to support full disclosure of 
Federal financial data, including the full costs of Federal programs and activities; (3) increase the 
accountability and credibility of federal financial management; (4) improve performance, 
productivity and efficiency of Federal Government financial management; and (5) establish 
financial management systems to support controlling the cost of Federal Government. 

DHS' Sensitive Systems Policy, 4300A, documents policies and procedures adopted by DHS 
intended to improve the security and operation of all DHS IT systems. 

The FISCAM provides a framework and recommended audit procedures that are used to conduct 
the IT general control test work. 

Recommendations: We recommend that the DHS Office of Chief Information Officer in 
coordination with the OCFO make the following improvements to the Departments financial 
management systems: 

For access controls: 

a) Implement an account management certification process within all the components to 
ensure the periodic review of user accounts for appropriate access and to ensure that 
generic accounts do not exist on the system; 

b) Implement and appropriately implement an access authorization process that ensures that 
a request is completed and documented for each individual prior to granting him/her 
access to a financial application or database; 

c) Implement a process to ensure that all accounts of terminated individuals from the system 
are immediately removed/end-dated/disabled upon their departure. This includes both 
terminated employees and contractors; 

d) Enforce password controls that meet DHS' password requirements on all key financial 
systems. Conduct periodic vulnerability assessments, whereby systems are periodically 
reviewed for access controls not in compliance with DHS and Federal guidance and 
ensure that action is taken to remediate any security weaknesses identified; 

e) Implement a patch and security configuration process, and enforce the requirement that 
systems are periodically tested by DHS components and the DHS Office of Chief 
Information Officer; and 
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f) Develop and implement detailed procedures requiring the review of operating system 
logs for suspicious activity and conduct audit log reviews of the operating system on a 
consistent and timely basis. 

For application software development and change control: 

a) Further develop and enforce policies that require changes to the configuration of the 
system are approved and documented, and audit logs are activated and reviewed on a 
periodic basis; 

b) Implement a single, integrated change control process over the DHS components' 
financial systems with appropriate internal controls to include clear lines of authority to 
the components' financial management personnel and to enforce responsibilities of all 
participants in the process and documentation requirements. Further develop and enforce 
policies that require changes to the configuration of the system are approved and 
documented, and audit logs are activated and reviewed on a periodic basis; 

c) Reevaluate and revise the contract between DHS and the software vendor or otherwise 
ensure that the security configurations associated with the application changes and 
software patches are in compliance with DHS and NIST standards for financial 
applications; 

d) Develop and implement formal policies and procedures for restricting access to DHS 
system software, and promulgate it to all needed personnel, to be in compliance with 
DHS Sensitive Systems Policy, 4300A; 

e) Develop and implement procedures to perform a periodic review of access to financial 
application software and support files to determine whether access is valid, consistent 
with job responsibilities, and according to the least privilege principle; and 

f) Remove excessive access to the all DHS financial application software and support files. 
Develop, document and implement a formalized SDLC process. 

For service continuity: 

a) Update the COOP to document and prioritize an accurate listing of critical IT systems; 

b) Perform testing of key service continuity capabilities, including contingency planning; 

c) Ensure that the alternate processing site is made operational; 

d) Rotate backups off-site on a regular basis, implement policies and procedures developed 
to enforce testing of backups, and Test backups at least annually; 

e) Revise the COOP to incorporate critical data files and alternate processing facility; and 

f) Ensure that all employees and contractors acknowledge and sign a Rules of Behavior 
prior to being granted LAN access. 

II-D Not Used 

II-E Capital Assets and Supplies (FEMA, TSA and US- 
Visit) 

Background: FEMA maintains a stockpile of inventory (e.g., 
blankets, bottled water, cots, tarps, plastic sheeting, Meals 
Ready to Eat, and ice), to be used for disaster relief if the need 
arises. After the 2005 hurricane season, FEMA substantially 
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increased the amount of supplies that are stockpiled. The large increase in supplies has also 
increased the asset's carrying value on FEMA's and DHS' financial statements. FEMA policies 
require the agency to conduct an annual inventory of the supplies. 

TSA maintains extensive capital assets used at airports to screen passengers and their baggage. In 
FY 2006, we reported accounting process and control weaknesses at TSA related to, among other 
things, the unreconciled Property, Plant and Equipment (PP&E) balances, and the lack of 
supporting documentation needed to perform our audit. These conditions also prevented TSA 
from asserting that its September 30, 2006 PP&E was fairly stated. During FY 2007, TSA 
executed a CAP to correct these deficiencies. We noted that TSA corrected the deficiencies we 
reported in prior years by September 30, 2007. 

The mission of US-Visit is to collect, maintain, and share information on foreign nationals 
traveling to and from the United States in order to enhance national security, facilitate legitimate 
trade and travel, and contribute to the integrity of our immigration system, while deploying the 
program in accordance with existing privacy laws and policies. Customized software is being 
developed to assist with this objective. 

Conditions: We noted the following internal control weaknesses related to capital assets and 
supplies at FEMA, TSA and US-Visit: 

1. FEMA: 

• Did not fully adhere to its policies when performing its annual physical count of supplies 
inventory. We noted that: 

Inventory counts were not fully reconciled to FEMA's Logistics Information 
Management System (LIMS), which is used to track inventory; 

Inventory counts were not conducted in a well-controlled environment. We noted 
numerous weaknesses in how the procedures were conducted, which increased the 
likelihood of error; and 

In some cases inventory that was in LIMS could not be located. 

• Adjustments to the stockpile inventory were not recorded in FEMA's general ledger 
system as they occurred throughout FY 2007. 

2. TSA: 

• Did not reconcile its PP&E subsidiary ledger to its general ledger consistently and timely 
throughout FY 2007. However, TSA was reconciling timely by year-end. 

• Has not recorded depreciation on certain explosive detection equipment, using a method 
that is consistent with generally accepted accounting principles. Specifically, TSA began 
recording depreciation expense prior to the date the equipment was placed in service. 
Consequently, TSA has recorded excessive depreciation expense during FY 2007 and in 
previous years totaling approximately $80 million. TSA recomputed the depreciation 
expense, using the correct date placed in service, and adjusted its PP&E, depreciation 
expense, and net position balances to correct the error in its FY 2007 financial statements. 
The adjustment also resulted in a restatement of TSA's 2006 financial statements. 

• Uses USSGL Account No. 1 890 (Other PP&E) to record all PP&E purchases, which is 
not compliant with the USSGL requirements of FFMIA. 

• Improperly capitalized certain advance payments to vendors as construction in progress. 
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3. US-Visit: 

• Did not consistently apply procedures to identify and capitalize software development 
costs or to reclassify software placed into production from software in development; and 

• Does not have a reliable financial accounting and reporting process or system in place to 
routinely account for its software expenditures, capitalize appropriate amounts, and report 
those balances to OFM to report in the consolidated financial statements. 

Cause/Effect: FEMA personnel performing the physical count of supplies lacked training in 
proper inventory count procedures and failed to reconcile results to the LIMS database. Without 
accurate physical counts and reconciliations to the perpetual records, FEMA cannot be sure 
supplies exist, listings of available supplies are complete, and the financial statements accurately 
reflect the asset values. FEMA was unable to devote sufficient human resources to properly 
account for its stockpile during FY 2007 (see Exhibit II-A, Financial Management and Entity 
Level Controls). 

TSA personnel considered that the date of purchase and receipt of the explosive detection 
equipment was a reasonable approximation of the date the asset was placed in service. 
Verification of the reasonableness of this accounting practice was not performed, and 
consequently the discrepancy was not discovered until our audit of capital assets this year. 
Because of insufficient accounting code details on purchase orders and related system 
configurations, TSA's accounting services provider (Coast Guard) records PP&E purchases that 
do not have sufficient accounting code details to USSGL Account No. 1890 until information is 
available to record such purchases in the appropriate capitalized PP&E or expense account. 

US-Visit has developed adequate accounting policies for tracking software development costs, 
these policies are not fully or adequately implemented during FY 2007. With assistance from 
OFM, US-Visit was able to manually compute an estimated balance, which was reclassified to 
capitalized software at year end for financial statement presentation purposes. A lack of sufficient 
personnel assigned to the financial reporting areas of US-Visit appear to have contributed to 
implementation delays. 

Criteria: SFFAS No. 6, Accounting for Property, Plant, and Equipment, requires that PP&E is 
recorded at historical cost with an adjustment recorded for depreciation. Depreciation expense 
should be recognized in the financial statements beginning on the date that the asset is placed in 
service for its intended use. 

According to GAO Standards, assets at risk of loss or unauthorized use should be periodically 
counted and compared to control records. Policies and procedures should be in place for this 
process. The FSIO publication, Inventory, Supplies, and Material System Requirements, states 
that the general requirements for control of inventory, supplies, and materials consist of the 
processes of receipt and inspection. An agency's inventory, supplies and materials system must 
identify the intended location of the item and track its movement from the point of initial receipt 
to its final destination. SFFAS No. 3, Accounting for Inventory and Related Property, states 
OM&S shall be valued on the basis of historical cost. 

Per FEMA Manual 6150.1 Section 4-4g, Annual Inventory of Accountable Property, the 
designated Property Management Officers (PMO) will ensure that a complete physical inventory 
of FEMA property with acquisition cost of $5,000 or more, sensitive items, serialized equipment, 
and loaned equipment is made annually, discrepancies reconciled, and the results maintained on 
file for one year. The annual inventory of accountable property may be wall-to-wall (closed), 
cyclic (open), or special (when directed). A wall-to-wall inventory is a complete counting of all 
items located within the organization as of a scheduled date. A cyclic inventory is the counting of 
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a portion of the organization's property during a given period of time (monthly, quarterly, or 
semiannually) to cover the entire account in a one-year period. A special inventory is the 
counting of selected items for a specific reason. 

SFFAS No. 10, Accounting for Internal Use Software, provides requirements for the 
capitalization and reporting of software development costs. GAO Standards require that internal 
control and all transactions and other significant events be clearly documented and readily 
available for examination. The JFMIP, Property Management Systems Requirements, state that 
the agency's property management system must create a skeletal property record or have another 
mechanism for capturing information on property in transit from the providing entity (e.g., 
vendor, donator, lender, grantor, etc.). 

Recommendations: We recommend that: 
1 FEMA. 

a) Devote necessary personnel to develop and implement proper accounting policies and 
procedures and related internal controls to ensure that its stockpiled inventory is 
accurately and completely accounted for in its general ledger throughout the year; 

b) Establish and implement a plan to perform a closed annual inventory count as required by 
FEMA Manual 6150.1 Section 4-4g, Section g., Annual Inventory of Accountable 
Property; 

c) Provide more training and detailed instruction to Logistics Center staff on performing 
inventory counts, including the completion of count sheets and the performance of 
recounts; and 

d) Reconcile the physical inventory counts, including the annual physical inventory, to the 
perpetual counts recorded in LIMS, and resolve related discrepancies. 

2. TSA: 

a) Formally modify its policy to define the placed in service date, which then begins the 
process of recording periodic depreciation expense; 

b) Implement needed IT system changes to properly account for and maintain placed in 
service dates; 

c) Work with its accounting services provider to discontinue the use of USSGL Account 
No. 1890 and record PP&E to the proper general ledger account upon purchase; and 

d) Develop and implement management review controls over equipment purchase contracts 
to ensure that amounts advanced to vendors are properly accounted for given the terms of 
the underlying contract. 

3. US-Visit implement procedures for developers to track and notify accounting personnel when 
software has been placed into production so that accounting personnel can properly classify 
and amortize the software costs, and appropriate and sufficient evidence is maintained to 
document management's decisions that lead to significant accounting transactions. 



II-F Other Liabilities (FEMA, G&T, and TSA) 

Background: In 2006, we reported that OFM and DHS General 
Counsel had not implemented adequate policies and procedures 
to accurately estimate and report an accrual for contingency legal 
liabilities. OFM, DHS General Counsel, and each of the DHS 





2007 






OFM 


C 




MA. 


FEMA 


MW 






G&T* 








TSA 


SD 





II. 15 



G&T grants merged with FEMA in 2007 



Independent Auditors' Report 

Exhibit II - Material Weaknesses - DHS Civilian Components 



component entities implemented a corrective action plan in 2007, and have successfully 
remediated the control deficiencies we reported last year. 

For the first two fiscal quarters of FY 2007, the G&T was a component of the Preparedness 
Directorate within DHS. During this time, accounting services for G&T were provided by the 
Department of Justice through an interagency agreement. These accounting services included the 
development and implementation of a grant accrual methodology to be used in G&T's quarterly 
reporting financial reporting. Effective March 31, 2007, G&T's operations were transferred to 
FEMA as a result of the Post-Katrina Emergency Management Reform Act of 2006. The 
financial and grant data of G&T was fully transferred to FEMA on May 15, 2007. Accordingly, 
FEMA is now responsible for providing accounting services for G&T, including the grant accrual 
methodology, and prepares its monthly financial submissions used by OFM to prepare the DHS 
consolidated financial statements. 

A part of TSA's employee compensation package includes annual leave, which accrues at varying 
rates and is based on years of service, and related benefits. The annual leave liability and related 
benefit accruals in TSA's financial statements at September 30, 2007, totaled approximately $193 
million. 

Conditions: We noted the following internal control weaknesses related to other liabilities: 

1. FEMA: 

• Did not establish a reliable method, including validation of data and assumptions made, to 
estimate G&T grants payable [or advances] for accrual in the financial statements at 
September 30, 2007. FEMA management was unable to provide assurance that the 
accrued liability related to former G&T grants, was accurate, and complete at September 
30, 2007. 

• Did not have sufficient policies and procedures in place to fully comply with the Single 
Audit Act Amendments of 1996 and related OMB Circular No. A-133, Audits of States, 
Local Governments, and Nonprofit Organizations (see Exhibit IV-K, Single Audit Act 
Amendments of 1996). 

2. TSA: 

• Has not maintained all of the necessary supporting documentation for us to complete our 
audit procedures over accrued annual leave. From a sample of 75 items, 1 3 items could 
not be supported and 5 contained errors. 

• Has not reconciled annual leave balances earned by employees per the payroll provider's 
output records to the data submitted by TSA and with the general ledger on a routine 
basis, which likely contributed to the errors identified in our sample. 

Cause/Effect: FEMA did not have sufficient resources to perform all accounting functions 
related to the transfer of G&T grant administration and accounting that occurred in FY 2007. 
FEMA accounting staff used FEMA's historical methodology for estimating the grant liability for 
FEMA's grant portfolio to compute and record a grant liability at year end for the former G&T 
grant portfolio. However, FEMA was unable to validate this application of its methodology as 
appropriate and plans to perform its validation during FY 2008. Consequently, we were unable 
to complete our audit procedures over the accrued grant liability presented in the DHS 
consolidated balance sheet at September 30, 2007. Additionally, without effective procedures to 
timely resolve and close audit reports with identified questioned costs or other findings, the 
circumstances leading to the findings may continue to exist and amounts due to the government 
may not be received timely. 
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The portion of TSA's annual leave liability that is in question relates to a balance that was 
transferred from a payroll system that has been replaced. Supporting information is not readily 
available to determine the correct liability at September 30, 2007. 

Criteria: GAO Standards hold that transactions should be properly authorized, documented, and 
recorded accurately and timely. SFFAS No. 1, Accounting for Selected Assets and Liabilities, 
states, "When an entity accepts title to goods, whether the goods are delivered or in transit, the 
entity should recognize a liability for the unpaid amount of the goods. If invoices for those goods 
are not available when financial statements are prepared, the amounts owed should be estimated." 

SAS No. 57, Auditing Accounting Estimates, states "An entity's internal control may reduce the 
likelihood of material misstatements of accounting estimates. Specific relevant aspects of 
internal control include the following: Accumulation of relevant, sufficient, and reliable data on 
which to base an accounting estimate and comparison of prior accounting estimates with 
subsequent results to assess the reliability of the process used to develop estimates." 

OMB Circular No. A- 133 states that grants should be monitored by the grant making 
organization. 

Recommendations: We recommend that: 

1. FEMA: 

a) Develop, test (e.g., validation of data and assumptions made), and implement a reliable 
method to periodically estimate G&T grants payable [or advances] for accrual in the 
financial statements during the year; and 

b) Implement policies and procedures to ensure full compliance with OMB Circular No. A- 
133. 

2. TSA: 

a) Develop and perform procedures to enable management to assert to the appropriateness 
of the "beginning" accrued leave balance at a point in time (e.g., October 1, 2007). For 
example, these procedures may involve validating leave balances for all TSA employees 
at the selected point in time. These procedures should require that sufficient 
documentation be retained for purposes of the annual financial statement audit; and 

b) Develop and implement policies and procedures to reconcile annual leave balances per its 
payroll provider output records to input records submitted by TSA and to the TSA 
general ledger each pay period. These reconciliations should be documented, reviewed 
by an appropriate supervisor, and maintained. 

II-G Budgetary Accounting (FEMA and TSA) 



Background: Budgetary accounts are a category of general ledger 
accounts where transactions related to the receipt, obligation, and 
disbursement of appropriations and other authorities to obligate 
and spend agency resources are recorded. Combined, DHS has 
over 300 separate Treasury fund symbols (TAFS), each with 
separate budgetary accounts that must be maintained in accordance 
with OMB and Treasury guidance. The TAFS cover a broad 
spectrum of budget authority, including annual, multiyear, and no- 
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year appropriations; and several revolving, special, and trust funds. Accounting for budgetary 
transactions in a timely and accurate manner is essential to manage the funds of the Department 
and prevent overspending of allotted budgets. 

Immigration and Customs Enforcement (ICE), Management Directorate, and U.S. -Visit each 
developed and implemented corrective action plans during FY 2007, to address the internal 
control weaknesses in budgetary accounting that we reported in our 2006 report. 

The National Response Plan (NRP) calls for use of Other Federal Agencies (OF A) to provide 
goods and services to assist FEMA with its response to a disaster, as needed. The NRP defines a 
Mission Assignment as the vehicle used by FEMA to support Federal operations during a major 
disaster or emergency declaration covered under the Stafford Act. These work orders are issued 
by FEMA to OFAs to direct completion of a specific task and represent the primary 
documentation maintained by FEMA to support its obligations for disaster relief 
operations/programs being performed by OFAs. 

TSA has substantial obligations and undelivered orders at year end, primarily for contract 
services and purchases of equipment. TSA's Office of Acquisition in coordination with TSA's 
Office of Financial Management monitors obligation activity and provides key input data needed 
to properly deobligate funds and prepare an accurate accounts payable estimate. 

Conditions: We noted the following internal control weaknesses related to budgetary accounting: 

1. FEMA: 

• Did not adequately monitor the status of its obligations and ensure the timely deobligation 
of mission assignments resulting in a material misstatement of UDOs at the time of our 
testwork. We noted the following: 

In a sample of 74 mission assignment obligations, approximately 50 percent were past 
their projected end dates by more than 120 days, and in some cases more than a year; 
and 

Quarterly reviews of open obligations required by FEMA policies were not 
consistently performed or documented in the supporting records. 

• OFA's did not always provide FEMA with timely progress reports that included sufficient 
cost/billing data. Sufficient documentary evidence was not obtained and/or documented 
timely for mission assignment manager follow-up procedures with the OFAs. 

2. TSA: 

• Does not have a funds control process in place to monitor outstanding obligation balances 
on a periodic basis (e.g., quarterly). During our interim testwork we identified 7 errors 
out of a sample of 75 items, and a projected overstatement undelivered orders of 
approximately $200 million. During our year-end testwork we identified 26 errors out of a 
sample of 195 items, and a projected overstatement of undelivered orders of 
approximately $130 million. 

• Does not have sufficient policies and procedures requiring contract officers to monitor 
and close-out contracts, and we noted some deficiencies in the effectiveness of TSA's 
validation and verification process conducted over its obligations during the second half 
of FY 2007. 
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• Completed an investigation over certain obligations recorded in previous years and 
determined that a violation of the Anti-deficiency Act occurred in previous years (see 
Exhibit IV-P, Anti-deficiency Act). 

Cause/Effect: Although TSA has initiated a validation and verification process over its 
obligations, TSA was unable to complete the process before September 30, 2007. 

FEMA's ability to monitor and manage mission assignments continues to be affected by resource 
limitations. In addition, FEMA is dependent on OFA's to provide timely information on the 
status of mission assignment obligations throughout the year. Lacking this information, FEMA is 
unable to effectively monitor and account for outstanding mission assignments, e.g., recording a 
proper account payable and deobligating excess funds. 

Criteria: FEMA's SOP for Processing Mission Assignment and Interagency Payments for Fund 
Code 06, updated April 2007, establishes the process for mission assignment closeouts. If no 
activity has been recorded within the last 90 days, the Disaster Finance Branch initiates the 
closeout process with the Region or Headquarters. 

The FEMA Form 90-129, Mission Assignment Agreement, states that the OFA is responsible for 
submitting a Mission Assignment Monthly Progress Report to FEMA to include cost data when 
mission assignments take more than 60 days to complete, including billing. To assist with this 
process, OMB issued its Memorandum - Yearend Accounting Guidance for Disaster Relief Fund 
Transactions dated September 17, 2007. 

The Anti-deficiency Act is a series of statutes prohibiting agencies from obligating or expending 
funds in advance of appropriation or apportionment, OMB Circular No. A-l 1 has strict 
requirements for notification and reporting Anti-deficiency violations. GAO Standards hold that 
transactions should be properly authorized, documented, and recorded accurately and timely. 

According to JFMIP's Core Financial System Requirements, an agency's core financial 
management system must ensure that an agency does not obligate or disburse funds in excess of 
those appropriated and/or authorized and specific system edits and user notifications related to 
funds control must be in place. The Federal Acquisition Regulation Section 1.6 addresses the 
authorities and responsibilities granted contracting officers. Treasury's USSGL guidance 
specifies the accounting entries related to budgetary transactions. 

OMB Circular No. A- 123 states, "Agency managers should continuously monitor and improve 
the effectiveness of internal control associated with their programs." This continuous monitoring, 
and other periodic evaluations, should provide the basis for the agency head's annual assessment 
of and report on internal control, as required by FMFIA. This Circular indicates that "control 
weaknesses at a service organization could have a material impact on the controls of the customer 
organization. Therefore, management of cross-servicing agencies will need to provide an annual 
assurance statement to its customer agencies in advance to allow its customer agencies to rely 
upon that assurance statement. Management of cross-servicing agencies shall test the controls 
over the activities for which it performs for others on a yearly basis. These controls shall be 
highlighted in management's assurance statement that is provided to its customers. Cross- 
servicing and customer agencies will need to coordinate the timing of the assurance statements." 

FFMIA Section 803(a) requires that each Agency implement and maintain a system that complies 
substantially with Federal financial management system requirements as stipulated by OMB 
Circular No. A-127. 
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Recommendations: We recommend that: 

1. FEMA: 

a) Require all regional offices to perform a complete UDO review, monitor timely 
completion of this review, and ensure that all identified mission assignment deobligations 
are processed in the general ledger promptly; 

b) Ensure that personnel follow the established policy for quarterly obligation reviews prior 
to the end of each quarter to timely determine whether the remaining balance on a 
mission assignment is valid, or whether a deobligation of the remaining balance is 
necessary; 

c) Enforce the requirement that all OFA's submit not only a progress report when the 
mission assignment takes more than 60 days to complete, but a progress report every 
additional 30 days that the project remains either programmatically or financially 
incomplete. The report should include an estimated completion date and, when 
applicable, Form 90-136 should be submitted for extension of the projected end-date 
whenever the estimate for programmatic completion is more than 30 days; 

d) Consider involving OMB in a permanent solution, such as Agreed-upon Procedures 
engagements, to ensure that FEMA receives sufficient and timely information from 
OFA's to properly account for obligations related to outstanding mission assignments; 
and 

e) Consider adding additional temporary or permanent accounting staff to improve the 
deobligation process (our recommendations in I-A, Financial Management Oversight and 
Entity Level Controls, will also help address these conditions). 

2. TSA: 

a) Require contracting officers to review and certify whether obligations are valid or require 
deobligation on a periodic basis (e.g., quarterly); 

b) Refine or develop a new general ledger reporting tool that provides the contracting 
officers accurate information regarding outstanding obligated balances to include 
information related to the last activity date to assist in aging the balance; 

c) Refine existing processes by which the Business Management Office periodically 
examines outstanding obligations and makes recommendations (e.g., deobligation) on 
outstanding balances; and 

d) Develop formal policies and procedures to assist in expediting deobligations of funds 
associated with invalid obligations in advance of a formal contract close out. 



II. 20 



Independent Auditors' Report 

Exhibit III - Significant Deficiency - DHS Civilian Components 



III-H Custodial Revenue and Drawback 

Background: CBP collects approximately $30 billion in annual import duties, taxes, and fees on 
merchandise arriving in the United States from foreign countries. Receipts of import duties and 
related refunds are presented in the statement of custodial activity in the DHS financial 
statements. CBP is the only DHS component with significant custodial responsibilities. 

Drawback is a remittance, in whole or in part, of duties, taxes, or fees previously paid by an 
importer. Drawback typically occurs when the imported goods on which duties, taxes, or fees 
have been previously paid, are subsequently exported from the United States or destroyed prior to 
entering the commerce of the United States. 

Bonded Warehouses (BW) are facilities under the joint supervision of CBP and the Bonded 
Warehouse Proprietor, used to store merchandise that has not made entry into the United States 
commerce. Foreign Trade Zones (FTZ) are secured areas under CBP supervision that are 
considered outside of the CBP territory, upon activation. In-bond entries occur when 
merchandise is transported through one port; however, the merchandise does not officially enter 
U.S. commerce until it reaches the intended port of origin. 

Conditions: We noted the following internal control weaknesses related to custodial activities at 
CBP: 

Related to drawback: 

• The Automated Commercial System (ACS) lacked automated controls to detect and 
prevent excessive drawback claims and overpayments, necessitating inefficient manual 
processes that do not effectively compensate for these automated controls. 

• Drawback review policies did not require drawback specialists to review all or a 
statistically valid sample of related drawback claims against the underlying consumption 
entries to determine whether, in the aggregate, an excessive amount was claimed. 

Related to the entry process - collection of taxes, duties and fees: 

• Policies, procedures, and general guidance provided to field offices related to review 
procedures, and documentation requirements for the monthly review of the entry process 
are weak. Consequently, we noted a number of instances of noncompliance with CBP 
guidelines, inconsistencies in review performance, and a lack of documentation to 
confirm performance of the monthly reviews. 

Related to BW, FTZ, and In-bond: 

• We noted inconsistencies in the performance of risk assessments and compliance reviews 
of BWs, and FTZs, and in-bond entries in various ports. In addition, HQ review of the 
BW and FTZs assessment results can take up to six months to compile and analyze. 
Further, no policies or procedures exist to monitor the results of the in-bond 
audits/reviews. 

• CBP is unable to determine the status of the in-bond shipments with the information 
available within ACS. 

Cause/Effect: CBP has been challenged to balance its commitment of limited resources to two 
important mission objectives - trade compliance, including the collection of taxes, duties and fees 
owed to the Federal government, and securing the U.S. borders from potential terrorist entry. In 
FY 2007, CBP made significant improvements in its custodial review controls and measurement 
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processes, procedures, and policies. For drawback, much of the process is manual until planned 
IT system functionality improvements are made, placing an added burden on limited resources. 

Criteria: Under FMFIA, management must implement cost-effective controls to safeguard assets 
and ensure reliable financial reporting. OMB 's Revised Implementation Guidance for FF MIA, 
states that financial systems should "routinely provide reliable financial information consistently, 
accurately, and reported uniformly" to support management of current operations. 

JFMIP publications and OMB Circular No. A-127 outlines the requirements for Federal systems. 
JFMIP's Core Financial System Requirements state that the core financial system must maintain 
detailed information by account sufficient to provide audit trails and to support billing and 
research activities. OMB Circular No. A-127 requires that the design of financial systems should 
eliminate unnecessary duplication of a transaction entry. Wherever appropriate, data needed by 
the systems to support financial functions should be entered only once, and other parts of the 
system should be updated through electronic means consistent with the timing requirements of 
normal business/transaction cycles. 

The Improper Payments Information Act of 2002, effective in FY 2004, requires agencies to 
assess the risk of erroneous payments and develop a plan to correct control weaknesses. In 
addition to the regulatory requirements stated above, CBP's Drawback Handbook, dated July 
2004, states that management reviews are necessary to maintain a uniform national policy of 
supervisory review. 

Recommendations: We recommend that CBP: 
Related to drawback: 

a) Implement effective internal controls over drawback claims as part of any new systems 
initiatives, including the ability to compare, verify, and track essential information on 
drawback claims to the related underlying consumption entries and export documentation 
for which the drawback claim is based, and identify duplicate or excessive drawback 
claims; and 

b) Implement automated controls within ACS to prevent overpayment of a drawback claim 
that is subject to deem liquidation. 

Related to entry: 

a) Provide additional detail in the guidelines, specifying the sample size, procedures to 
perform, and documentation requirements for the CM Coordinator's review of the Import 
Specialists' review. The guidance should also readdress the timing requirements for the 
monitoring reports or data queries and documentation retention; and 

b) Conduct periodic training to ensure that all port personnel have comprehensive 
knowledge of the CM program requirements. 

Related to BW, FTZ, and In-bond: 

a) Ensure adequate communication of the ports requirements related to the annual risk 
assessments and compliance reviews and provide effective training so that all responsible 
personnel are aware of and can consistently execute all of the requirements; and 

b) Implement a standard procedure to periodically compile the results of all In-bond 
audit/reviews during the year and develop an analysis function in order to evaluate the 
importers' compliance with regulations. 
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(Exhibits I and II include Comments A - G, and Exhibit III presents Comment H) 

All of the compliance and other matters described below are repeat conditions except IV-P Anti- 
deficiency Act, which is new finding in FY 2007. 

IV-I Federal Managers ' Financial Integrity Act of 1982 (FMFIA) 

Office of Management and Budget (OMB) Circular No. A-123, Management's Responsibility for 
Internal Control, requires agencies and Federal managers to 1) develop and implement management 
controls; 2) assess the adequacy of management controls; 3) identify needed improvements; 4) take 
corresponding corrective action; and 5) report annually on management controls. During FY 2007, 
DHS developed a CAP titled Internal Controls over Financial Reporting Playbook to implement 
corrective actions and support management assurances by performing tests of design and operating 
effectiveness on entity level controls and other financial accounting and reporting processes. DHS' 
implementation of OMB Circular No. A-123 also facilitates compliance with FMFIA and the DHS 
Financial Accountability Act of 2004, which requires an annual audit of internal control over financial 
reporting. 

While we noted the Department overall has taken positive steps toward full compliance with FMFIA 
and OMB Circular No. A-123, the Coast Guard has not fully established effective systems, processes, 
policies, and procedures to develop and implement internal accounting and administrative controls, 
and conformance of accounting systems. In addition, TSA and FEMA's control assessment processes 
require improvement to ensure full compliance with FMFIA. 

Recommendations: We recommend that the Coast Guard, FEMA, and TSA fully implement the 
FMFIA process, as prescribed by the OCFO, to ensure full compliance with FMFIA and its OMB 
approved plan for Circular No. A-123 implementation in FY 2008. We also recommend that the 
OCFO consider additional training for its components, to ensure a thorough understanding of 
requirements. 

IV-J Federal Financial Management Improvement Act of 1996 (FFMIA) 

Passage of the DHS Financial Accountability Act of 2004 made DHS subject to the FFMIA, 
beginning in FY 2005. FFMIA Section 803(a) requires that agency Federal financial management 
systems comply with 1) Federal accounting standards, 2) Federal system requirements, and 3) the 
USSGL at the transaction level. FFMIA emphasizes the need for agencies to have systems that can 
generate timely, reliable, and useful information with which to make informed decisions to ensure 
ongoing accountability. Office of Management and Budget (OMB) Circular No. A-123, 
Management's Responsibility for Internal Control, requires agencies and Federal managers to 1) 
develop and implement management controls; 2) assess the adequacy of management controls; 3) 
identify needed improvements; 4) take corresponding corrective action; and 5) report annually on 
management controls. During FY 2007, DHS OCFO continued with its implementation of OMB 
Circular No. A-123, by performing tests of design and operating effectiveness on entity level controls 
and other financial accounting and reporting processes as planned. DHS' implementation of OMB 
Circular No. A-123 also facilitates compliance with the DHS Financial Accountability Act of 2004, 
which requires an annual audit of internal control over financial reporting. 

While we noted the Department overall has taken positive steps toward full compliance with FMFIA 
and OMB Circular No. A-123, the Coast Guard, FEMA, and TSA did not fully comply with at least 
one of the requirements of FFMIA. The reasons for noncompliance are reported in Exhibits I, II, and 
III. The Secretary of DFIS also has stated in the Secretary's Assurance Statements dated November 
15, 2007, as listed in Management's Discussion and Analysis (MD&A) of the Department's 2007 
Annual Financial Report (AFR), that the Department cannot provide assurance that its financial 
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management systems are in substantial compliance with the requirements of FFMIA. The 
Department's remedial actions and related timeframes are also presented in that section of the AFR. 

An element within FFMIA Federal system requirements is ensuring security over financial 
management information. This element is addressed further in the Federal Information Security 
Management Act of 2002 (FISMA), which was enacted as part of the E-Government Act of 2002. 
FISMA requires the head of each agency to be responsible for 1) providing information security 
protections commensurate with the risk and magnitude of the harm resulting from unauthorized 
access, use, disclosure, disruption, modification, or destruction of (i) information collected or 
maintained and (ii) information systems used or operated; 2) complying with the requirements of 
the Act and related policies , procedures, standards, and guidelines, including (i) information 
security standards under the United States Code, Title 40, Section 11331 and (ii) information 
security standards and guidelines for national security systems; and 3) ensuring that information 
security management processes are integrated with agency strategic and operational planning 
processes. 

We noted weaknesses in financial systems security, reported by us in Exhibits I-C and II-C 
Financial Systems Security, which impact the Department's ability to fully comply with FISMA. 

Recommendations: We recommend that DHS improve its financial management systems to 
ensure compliance with the FFMIA, and implement the recommendations provided in Exhibits I, 
II, and III in FY 2008. 

IV-K Single Audit Act Amendments of 1996, and Laws and Regulations Supporting OMB 
Circular No. A-50, Audit Follow-up, as revised 

During 2007, DHS' G&T Directorate merged its grants making function with FEMA. FEMA is now 
the only DHS component that has a significant grant making operation. OMB Circular No. A- 133 
requires agencies awarding grants to ensure they receive grantee reports timely and to follow-up on 
grantee Single Audit findings. Although FEMA has adopted procedures to monitor grantees and their 
audit findings, FEMA did not fully comply with provisions in OMB Circular No. A-133 in FY 2007. 
We noted that FEMA does not always obtain and review grantee Single Audit reports in a timely 
manner, and follow up on questioned costs and other matters identified in these reports. Because 
Single Audits typically are performed by other entities outside of DHS, procedures related to these 
reports are not always entirely within the control of DHS and its components. 

OMB Circular No. A-50, as revised, provides guidance for use by executive agencies when 
considering reports issued by Inspectors General, other executive branch audit organizations, the 
GAO, and non-Federal auditors, where follow up is necessary. Corrective action taken by 
management on findings and recommendations is essential to improve the effectiveness and 
efficiency of government operations, and to support the objectives of sound fiscal management. The 
DHS OCFO has developed an extensive corrective action plan that requires each component to 
develop and execute corrective actions to address all material weaknesses in internal controls. This 
strategy is documented in the DHS Internal Controls over Financial Reporting (ICOFR) "Playbook." 
Progress is monitored by the CFO, and regularly reported to OMB and other outside stakeholders, 
such as Congressional Committees. We noted that each component has complied with the OCFO 
directive to develop corrective actions, and they have been reviewed and approved by the CFO. All 
DHS components have made progress toward remediation of material internal control weaknesses; 
however, as shown in described in Exhibits I, II and III, deficiencies identified in prior years have not 
been fully corrected in FY 2007. 
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Recommendations: We recommend that: 
Regarding Single Audit Act Amendments of 1996: 

1 . FEMA develop procedures to ensure compliance with its policy to obtain and review grantee 
Single Audit reports in a timely manner, and follow up on questioned costs and other matters 
identified in these reports. We also recommend that FEMA perform the following in FY 2008: 

a) Further develop and implement a tracking system to identify each grantee for which an OMB 
Circular No. A- 133 Single Audit is required, and the date the audit report is due; 

b) Strengthen communication with the cognizant agencies; 

c) Use the tracking system to ensure audit and performance reports are received timely, or to 
follow-up when reports are overdue; and 

d) Perform reviews of grantee audit reports, issue-related management decisions, and ensure that 
the grantees take appropriate corrective action, on a timely basis. 

Regarding OMB No. A-50, Audit Follow-up, as revised 

2. DHS continue to follow and complete the actions defined in its ICOFR "Playbook," to ensure that 
audit recommendations are resolved timely and corrective action plans addressing all DHS audit 
findings are developed and implemented together with appropriate supervisory review in FY 
2008. 

IV-L Improper Payments Information Act of 2002 

DHS is required to comply with the Improper Payments Information Act of 2002 (the Act or IPIA). 
The Act requires agencies to review all programs and activities they administer annually and identify 
those that may be susceptible to significant erroneous payments. For all programs and activities 
where the risk of erroneous payments is significant, agencies must estimate the annual amounts of 
erroneous payments, and report the estimates to the President and Congress with a progress report on 
actions to reduce them. The agency must report a statistically valid error projection for susceptible 
programs in its annual Performance and Accountability Report (PAR). To facilitate the 
implementation of the Act, OMB issued guidance in Memorandum M-03-13, Implementation Guide 
for the Improper Payments Information Act of 2002, and in Appendix C, Requirements for Effective 
Measurement and Remediation of Improper Payments, to OMB Circular No. A- 123, Management's 
Responsibility for Internal Controls, which provides a recommended process to meet the disclosure 
requirements. 

In FY 2007, we noted the Department has taken positive steps toward full compliance with IPIA, and 
Appendix C of OMB Circular No. A- 123, including identification of programs subject to IPIA, 
conducting a comprehensive process to assess the risk of programs susceptible to improper payments, 
and performing sample testing of programs. However, DHS did not fully comply with the Act in FY 
2007. We noted that at DHS and its components: 

• Some federal disbursements were excluded from the scope of DHS IPIA testwork performed. 

• Some programs identified as high risk of significant improper payments during the 
assessment process were not tested, and some programs identified as low risk of significant 
improper payments were selected for testing. Accordingly, this sample testing did not meet 
the IPIA requirements in FY2007. 

• The testing time frames selected for some components were not approved by OMB in 
advance, and in some cases the testing timeline did not appear to provide enough time to 
complete testwork over selected programs. 
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• CAPs were not developed for all programs identified as "high risk" during the risk 

assessment process, if no statistical sampling was performed to validate those risks during 
FY2007 due to DHS' multi-year compliance plan. 

Recommendation: We recommend that DHS risk assessments be completed earlier in the year so that 
programs identified as high risk by risk assessments are the programs that are sample tested. DHS 
needs to strengthen oversight of components' progress in implementing corrective action plans and in 
recovering improper payments for high-risk programs. Also, DHS should review sample testing 
procedures and begin to independently validate the results of components' sample testing. 

IV-M Chief Financial Officers Act of 1990 

The DHS Financial Accountability Act of 2004 made DHS subject to the Chief Financial Officers Act 
of 1990, as amended, which requires DHS to submit to the Congress and OMB audited financial 
statements annually. DHS' OIG has engaged an independent auditor to audit the September 30, 2007 
balance sheet and related statement of custodial activity. Other financial statements, including the 
statements of net cost, net position, and budgetary resources, are not currently auditable. DHS must 
be able to represent that its balance sheet is fairly stated, and obtain at least a qualified opinion before 
it is practical to extend the audit to other financial statements. 

Recommendation: We recommend that DHS, and its components continue to implement the 
corrective action plans described in DHS' ICOFR "Playbook" (see Comment IV - 1, Federal 
Managers ' Financial Integrity Act of 1982, above) to remediate the FY 2007 material weaknesses and 
significant deficiencies, and improve its policies, procedures, and processes, as necessary, to allow 
management to assert that all financial statements are fairly stated in compliance with accounting 
principles generally accepted in the United States, and are ready for an independent audit. 

IV-N Government Performance and Results Act of 1993 (GPRA) 

The Government Performance and Results Act requires each agency to develop a strategic plan, that 
includes a description of how goals and objectives are to be achieved, including a description of the 
operational processes, skills and technology, and the human, capital, and other resources required to 
meet those goals and objectives. The Department's annual performance plan and performance 
reports, that measure progress toward achieving strategic goals and related performance metrics are 
also integral to compliance with GPRA. We noted that DHS' Strategic Plan expired on October 1, 
2006 and the Department has not yet provided an updated Strategic Plan as of September 30, 2007. 
Consequently, the Department is not in compliance with the requirements of GPRA during FY 2007. 
In addition, we noted that the existing (expired) strategic plan did not align all strategic objectives to 
performance objectives as required. 

Recommendation: We recommend that DHS ensure full compliance with GPRA by completing its 
updated Strategic Plan and aligning all performance goals to its strategic objectives in FY 2008. 

IV-O Debt Collection Improvement Act of 1996 (DCIA) 

The DCIA of 1996 (DCIA) is intended to significantly enhance the Federal Government's ability 
to service and collect debts. Under the DCIA, the Treasury assumes a significant role for 
improving government-wide receivables management. The DCIA requires Federal agencies to 
refer eligible delinquent nontax debts over 180 days to U.S. Treasury for the purpose of collection 
by cross-servicing or the offset program. Our tests of compliance disclosed instances where DHS 
was not in compliance with certain provisions of the DCIA. Specifically, we noted that due 
process is not performed in a timely manner to ensure that some eligible debts are forwarded to 
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the Treasury for cross-servicing or the offset program within the timeframes established by 
DCIA. 

Recommendation: We recommend that DHS develop policies and procedures to ensure full 
compliance with the DCIA in FY 2008. 

IV-P Anti-deficiency Act 

DHS and TSA management notified us of an Anti-deficiency Act violation that occurred in the 
TSA, Expenses Account, Treasury Symbol - 70X0508 in an amount up to $155 million, where 
expenditures and obligations exceeded available funding in FY 2004. The DHS Secretary has 
reported the violation to the President of the United States, the President of the Senate, the 
Speaker of the House of Representatives, and the Comptroller General, as required by 31 U.S.C. 
Section 1351. After establishing certain budgetary authority within its DHS general ledger 
through a journal entry, the related individual purchase orders were then recorded and the journal 
entry reversed in March 2003. A subsequent transaction in May 2003 erroneously reversed the 
initial journal entry amount again. This second journal entry reversal, which led to the Anti- 
deficiency Act violation, overstated TSA's budget authority by underreporting its existing 
obligations. A separate notification of the final determination is still required under 31 U.S.C. 
section 1351. 

Recommendation: We recommend that TSA continue to implement the remedial actions 
resulting from its internal investigation of this matter. 
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U.S. Department of Homeland 
Security 

Washington, DC 20528 



Homeland 
Security 




November 15, 2007 



MEMORANDUM FOR: Richard L. Skinner, Inspector General 
FROM: David L. Norquist, Chief Financial Offfo 




SUBJECT: 



FY 2007 Financial Statement Audit 



This memo is our response to the Independent Public Accountant's audit of our balance sheets as 
of September 30, 2007 and 2006, and the related statement of custodial activities for the years 
then ended. We agree with the Independent Public Accountant's conclusions. 

I would like to thank you for your efforts and the dedication shown by your staff and the 
Independent Public Accountant in working with the Department to improve financial 
management. Although the auditor's report on internal controls and compliance indicates that 
DHS still faces serious financial management challenges, I am encouraged to note that 
significant progress was made this year. This progress has been made possible through the 
tireless effort of many throughout the Department to implement meaningful corrective actions 
and develop strong processes and internal controls. 

We are currently updating our plans to address the challenges identified by the auditors, as well 
as those noted by management during our A- 123 assessment. Our plans will focus on sustaining 
progress at the components that have corrected weaknesses, as well as supporting corrective 
action plans in areas where weaknesses remain. Two particular challenges for the upcoming 
year will be the U.S. Coast Guard and the Federal Emergency Management Agency. 

Financial management at DHS has come a long way. I am inspired by the extraordinary efforts 
of the Department's dedicated staff, and am most appreciative of the partnership we have forged 
with your office. Together we will continue to improve financial management and grow a cadre 
of leaders ready to address the mission challenges of the next decade. 
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Additional Information and Copies 

To obtain additional copies of this report, call the Office of Inspector General 
(OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web 
site at www.dhs.gov/oig. 



OIG Hotline 

To report alleged fraud, waste, abuse or mismanagement, or any other kind of 
criminal or noncriminal misconduct relative to department programs or 
operations: 

• Call our Hotline at 1-800-323-8603; 

• Fax the complaint directly to us at (202) 254-4292; 

• Email us at DHSOIGHOTLINE@dhs.gov; or 

• Write to us at: 

DHS Office of Inspector General/MAIL STOP 2600, Attention: 
Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410, 
Washington, DC 20528. 

The OIG seeks to protect the identity of each writer and caller. 



